The Garda Bureau of Fraud Investigation has recently detected a pattern of criminal activity that has the potential to cause serious financial losses to Public / Private Businesses.
They have stated “Up to 14 cases have been reported to date, with potential losses of over €5m, however €100k has been stolen. A number such bodies based around the country have received fraudulent instructions in the recent weeks via Email or letter which instructed them to record new account details for their various clients. There is no pattern in the fraudulent account details as they involve different financial institutions in both Ireland and the UK”.
They also claim that “As a result of the various businesses having received these fraudulent instructions, these businesses transferred money to the various bank accounts in payment of due debts. However due to the vigilance of the various financial institutions, most of the money was either prevented from having been sent in the first instance or recovered”.
The Garda Bureau of Fraud Investigation also requests that all businesses conduct an immediate review of any instructions that they have received from customers involving a request for a change of account details. They state “ As a security precaution it should be confirmed by verbal contact with the relevant financial control person in each business that purportedly sent change of account instructions as to whether they were genuine instructions or not. Where any business suspects that such attempts was made or indeed, where they have received such a request they should immediately contact their local Garda station and their bank”.
Two known examples can be seen below.
An e-mail that a business’s client received purported to come from the business, requesting that funds payable to Revenue be paid to a private a/c in the USA.
The same business had another of their clients lose a significant amount of money. Their client was dealing with a company in China. During their business dealings via email they were advised not to transfer money to the companies a/c in China. They were then told to transfer funds to their UK bank a/c. The UK account was in the name of the company in China.
In the two above examples cybercriminals hacked legitimate e-mail accounts and sent e-mails that came from the party that each had been dealing with, complete with e-mail signatures and reply address. As the email accounts used to try and redirect payments were 100% trustworthy, you would have not known right away what was happening. If you happen to be a victim of invoice redirection, you are left out of pocket with no comeback.
The Garda Bureau of Fraud Investigation is liaising closely with the Banking and Payments Federation of Ireland and has made available more advice which you can read here.