Business Email Compromise in Ireland

BEC is the highest-impact cyber threat for Irish SMEs. Here's how attackers execute CEO fraud, supplier impersonation, and payroll redirect attacks — and the controls that stop them.

Business Email Compromise in Ireland: How It Works and How to Stop It

Business email compromise (BEC) is consistently the highest-loss category of cybercrime reported to An Garda Síochána. It does not involve sophisticated malware or zero-day exploits. There is no ransomware deployment, no data exfiltration script, no technical complexity that an endpoint agent could have caught.

BEC is social engineering delivered by email: an attacker impersonates someone with authority — a CEO, a supplier, a solicitor — and convinces a member of your team to transfer money, change payment details, or redirect a payroll run. By the time anyone realises what has happened, the funds are in a mule account in a jurisdiction that does not cooperate on asset recovery.

The financial impact on Irish SMEs can be catastrophic. Losses ranging from €15,000 to several hundred thousand euro from a single transaction are not uncommon. The money is rarely recovered. The reputational damage — particularly when the fraud involves a client's funds — can be equally serious.

Why Irish SMEs Are Targeted

Irish businesses tend to have close working relationships with their suppliers and customers, which means staff are accustomed to responding quickly to requests from known names. That trust is the attack surface.

Many Irish SMEs are operating on Microsoft 365 or Google Workspace without security hardening beyond the defaults. Email authentication standards like DMARC are either not configured or not enforced, which means an attacker can send email that appears to come from your domain to your suppliers, or can spoof a supplier's domain to reach your finance team.

And the payment flows are real: Irish SMEs transact with suppliers regularly, often by bank transfer, with relatively informal authorisation processes. Redirecting one of those transfers is the objective.

The Three BEC Patterns Hitting Irish Businesses

1. CEO / Executive Impersonation — Invoice Authorisation

An attacker sends an email that appears to come from the CEO or MD, reaching the finance manager or accounts payable staff and instructing them to process an urgent payment to a new account. The email conveys urgency ("I'm in a meeting all day, please process this before 4pm") and confidentiality ("don't discuss this with anyone else for now").

The email address is either a convincing lookalike domain (pragmticsecurity.ie instead of pragmaticsecurity.ie) or, in more sophisticated attacks, the actual CEO's email account if it has been previously compromised.

2. Supplier Impersonation — Payment Detail Change

Your organisation receives an email that appears to be from a supplier you pay regularly, advising that their bank account details have changed and asking you to update your records before the next payment run. The email looks legitimate: it references your usual contact there, uses the supplier's branding, and comes from an address that is close enough to the real one that nobody checks.

The next invoice you pay goes to the attacker's account. You may not discover the fraud until the real supplier chases the unpaid invoice. This pattern has been particularly prevalent in Ireland's construction, legal, and professional services sectors.

3. Payroll Redirect

An attacker impersonates a member of staff and emails the payroll administrator to request a change to their bank account details ahead of the next payroll run. The change is processed. The employee's salary goes to the attacker's account.

The fraud is often not discovered until the legitimate employee contacts HR to report that their salary has not arrived.

Technical Controls That Stop BEC

DMARC, DKIM, and SPF. These three email authentication standards, used together, prevent attackers from spoofing your domain to send fraudulent email to your suppliers and customers. DMARC also gives you visibility into who is sending email on behalf of your domain. Many Irish SMEs have SPF in place but have never implemented DKIM or set DMARC to enforcement mode (p=reject or p=quarantine). Check your current email authentication posture using the Digital Trust Checker.

Multi-factor authentication on Microsoft 365. If an attacker cannot access your CEO's actual inbox, they cannot send internal-looking email from it. MFA on every account — particularly executives and finance staff — is the single most impactful control for preventing account compromise that enables BEC.

Block auto-forwarding to external addresses. A compromised mailbox is often configured to silently forward all email to an external attacker account, allowing them to monitor business conversations and identify the right moment to intervene. M365 allows you to block this at the tenant level.

Domain lookalike monitoring. Consider monitoring for newly registered domains that closely resemble yours. Some DMARC reporting providers include lookalike alerts as part of their offering.

Human Controls That Stop What Technology Misses

Technical controls are necessary but not sufficient. An attacker with a convincing lookalike domain or access to a real inbox will get past email filtering. Human processes are what catch these.

Callback verification for payment changes. Any request to change bank account details — whether from a supplier or an internal employee — should trigger a callback to a verified number (not a number provided in the same email) before the change is actioned. This is a simple, low-cost process that would have prevented the majority of supplier impersonation cases in Ireland.

Dual authorisation for high-value transfers. Any single transfer above a defined threshold — €10,000 is reasonable for most Irish SMEs — should require sign-off from two people, at least one of whom is not the initiator.

Train finance and HR staff explicitly. BEC is specifically targeted at the people who control money and payroll. General security awareness training is valuable, but finance and HR teams need specific training on the BEC patterns they are most likely to encounter, including worked examples from Irish cases.

If You Have Already Been Hit

Contact your bank immediately and ask for a Payment Stop or Transaction Recall. If the funds have already left your account, the bank can sometimes initiate a recall through SWIFT or SEPA systems if the attacker's bank has not yet moved the funds. The success rate drops sharply after 24 hours.

Report to An Garda Síochána and request that a report is filed with the Garda National Economic Crime Bureau (GNECB). They coordinate with counterparts in other jurisdictions on BEC recovery.

If the attack involved compromise of an email account rather than just spoofing, treat your Microsoft 365 or Google Workspace environment as potentially compromised and conduct a full incident response. Check email forwarding rules, delegated access, and recently created accounts.


BEC prevention is one of the areas where a small investment in technical controls and process change delivers disproportionate returns. If you would like a review of your current email authentication posture and payment controls, contact Pragmatic Security to discuss what a focused assessment looks like.


James McGee is a CISA, CISSP, and CISM-certified security professional and founder of Pragmatic Security, an Irish vCISO advisory firm helping SMEs navigate cybersecurity and regulatory compliance.