Businesses have been warned of an internet email scam which has seen fraudsters steal €650,000 from two commercial companies recently.
They were settling what looked like legitimate invoices from real suppliers. One company lost €200,000 and the other €453,000, gardaí said on Monday.
The criminals send emails to businesses and individuals from whats looks like the real supplier. The emails request firm to change the bank account details on record for the supplier to a new bank account, controlled by the criminals. These requests can also come by way of letter or phone call.
They don't know it is a victim of this scam until the legitimate supplier sends a reminder invoice seeking payment, gardaí said.
All of this has been “scaled up significantly in recent times” although it was always there. Two firms we contacted were scammed for €38,000 and €35,000 in separate fraud attacks. Check out Gravityzone. The scammers broke into and compromised the email system to fake the invoices.
Currently faking invoices is more effective and lucrative for criminals than ransomware where criminals shut down computer systems and will only restart them once a ransom is paid. There is also no guarantee that the system will restart and operate normally.
Detective Chief Superintendent Pat Lordan Garda National Economic Crime Bureau said: “This can be catastrophic and result in the closure of businesses and redundancies”. He says pick up the phone and speak to somebody in the invoicing company. Also consider using technology like Spamina, advanced threat protection, and end-point protection
Our advise here, “Assume all emails incoming and outgoing in your company are always being read by criminals, fraudsters for long extended periods and that those responsible for payments within your company are a special target for hackers and their email activity, history is being monitored. Many of these criminals will have access to the CRM system like SAP”.
This is ultimate Phishing
Incoming email addresses need to be checked. Simple changes, such as swopping, adding or deleting letters in a mail address are commonly used to fool a business into thinking the invoice is coming from a genuine source.
We know for a fact most organisations hit by this scam will not report theft fearing severe reputational loss, resulting in suppliers, customers no longer being prepared to deal with them. Requests to change Bank details need to be treated sceptically. Advanced Threat protection is
Gardaí estimated at least €4.4 million had been stolen in such scams with €1.28 million recovered by gardaí.
1. Do you know the email contact, make direct personal contact.
2. Check email address used is correct. Check for basic English mistakes.
3. Do a small transfer to the new account, of say €0.10, the check the sum has landed in their bank account. If not, do not proceed.
4. Double-check IBAN numbers. Cut-and-paste them.
6. Report to the gardaí, and to your ISP (internet service provider) if received electronically.
7. Block their email. Copy dubious emails and circulate them to your staff
8. Do not forward the email, even with word SCAM in it.
9. Brief your staff directly in person. Better than losing €20,000.
Business has been warned by the Police to avoid email, invoice, phishing scams. Failing to do so could lead to catastrophic consequences