Studying this technical article and answering the related questions can count towards your verifiable CPD if you are following the unit route to CPD and the content is relevant to your learning and development needs. One hour of learning equates to one unit of CPD. We'd suggest that you use this as a guide when allocating yourself CPD units.

This article was first published in the April 2019 Ireland edition of Accounting and Business magazine.

Online fraud is as old as the internet itself and most of us like to think we’ve grown wise to its most basic forms. In the business world, that assurance is further cushioned by a belief that systems are in place to shut down any risk should a momentary lapse of judgment put staff in direct contact with criminals. It’s a comforting idea, but it’s far from the reality.  

Statistics from the UK give a sense of how prevalent and virulent financial fraud through online means can be. Financial services trade association UK Finance says that in the first half of 2018 there were 34,128 cases of ‘authorised push payment’ scams (where victims are duped into making financial payments to criminals). Most victims were individuals (31,510 cases), but the non-personal cases resulted in significantly higher losses proportionately.

Research published during National Fraud Awareness week in Ireland last November shows good reason for concern here too. Over a third of Irish SMEs said they were the target of fraudsters during the previous year, and more than two-thirds admitted they had no fraud awareness guidelines or training in place to deal with the problem.

While scams directed at business come in a variety of guises, invoice redirection has become a big worry. It involves criminals posing as a genuine supplier and advising its customers to change the bank account details they hold for it. At least one in five Irish SMEs have experienced an attempted fraud of this type and as many as one in every 18 attempts have succeeded.

Last September, Gardaí raided addresses across Ireland linked with an international crime cartel engaged in invoice redirect fraud. While the scope was global, Irish organisations were very much in the crosshairs. Dublin Zoo and Louth Meath Education and Training Board were just two lucrative targets, losing hundreds of thousands of euros each through the deception. Meanwhile, a 24-year-old man is currently awaiting sentencing for his part in an invoice redirect scam that cost Maynooth University over €350,000.

The scale of the issue has prompted the Gardaí to issue a direct warning to business: ‘The consequences of falling for a scam of this nature can be catastrophic and can result in the closure of businesses and redundancies.’

Patrick Lordan of the Garda National Economic Crime Bureau adds: ‘Irish companies big and small are being targeted on a daily basis by individuals purporting to be from their suppliers.’

Professional concerns

With global research by security consultancy Kroll showing that 89% of professional services firms worldwide have reported fraud incidents, scams of this kind should be a major concern for the accountancy profession. The financial impact is onerous, but the resulting reputational damage can shred a firm’s most important asset overnight.

For all that, complacency continues to reign across the Irish business world. A joint study by Microsoft and Amarach Research published in early 2019 highlights poor security habits among employees as one of the biggest risks to firms. ‘Organisations can invest in robust data protection and security measures, but their employees could, accidentally, bring about a potential security disaster for their organisation,’ says Des Ryan, solutions director at Microsoft Ireland.

Also spreading the message about the need for vigilance is the Banking & Payments Federation Ireland, which has set up a focused fraud awareness initiative called FraudSmart. Niamh Davenport, fraud awareness and payments manager at the organisation, says: ‘Every business needs to ensure they have robust policies in place to deal with requests around changing bank accounts.’

While businesses can and should invest in IT solutions to ensure that scammers don’t manage to siphon off payments to their supply chain, the foolproof method of dealing with the invoice redirect scam is one that requires no particular tech investment. Davenport advises that the standard procedure should be ‘to simply verbally confirm with a known contact in the supplier’s office whether the instructions are genuine or not’.

Lordan agrees: ‘The best thing to do is pick up the phone and talk to someone you know in the company.’

Donal Nugent, journalist