On a Tuesday morning last autumn, the accounts payable manager at a Donegal engineering firm updated a supplier's bank details based on an email that appeared to come from a long-standing contact at a concrete supplier they had used for six years. The email address was one character different from the real one — a lower-case L replaced with a capital I, indistinguishable in the font used by their email client. The next three invoices — totalling €31,000 — went to a criminal's account in Latvia. The real supplier followed up four weeks later asking when payment was expected.
This morning, new data from FraudSMART — the fraud awareness initiative run by Banking and Payments Federation Ireland — confirms that this scenario is happening across the country at scale. Irish SMEs lost almost €19 million to email-related scams over the past two years, with companies that fell victim losing an average of more than €22,000 each.[^1]
What the FraudSMART Data Shows
The headline figures are striking. €19 million in two years. Average losses of €22,000 per impacted company. But the survey data published alongside them reveals the scale of the broader exposure.
More than two thirds of SMEs — 67% — reported being targeted by a financial scam in the past twelve months. This is not a minority concern. It is a majority experience. More than three quarters received unexpected or urgent requests that raised suspicion. The urgency framing — "we need this by end of day," "this is time-sensitive," "please keep this confidential" — is a consistent feature of the most successful attacks. It is designed to suppress the instinct to verify.
Email is the primary channel, accounting for 88% of attempted scams, with phone calls at 51% and texts at 49%. The channel split matters because the most effective attacks combine multiple channels — a convincing email followed by a phone call adding urgency and apparent legitimacy. FraudSMART's Head of Financial Crime at BPFI, Niamh Davenport, specifically noted that this multi-channel approach is increasing. An Garda Síochána's National Cyber Crime Bureau has confirmed the same pattern in its own reporting.[^2]
Two thirds of Irish SMEs were targeted by financial scams in the past year. The question is whether the controls were in place when the attempt arrived. Book a free 20-minute strategy call — fraud prevention controls are one of the most requested assessments in our SME advisory practice.
Where the Official Advice Stops Short
The practical recommendations from FraudSMART — verifying any change to supplier bank details, introducing dual approval for higher-value payments, and ensuring staff know the warning signs — are broadly correct. But the guidance leaves significant gaps that Irish SMEs need to fill themselves.
The €22,000 average almost certainly understates the true cost. The figure captures direct financial losses reported to banks and insurers. It does not capture management time consumed by the investigation, legal costs of attempting recovery, reputational damage with clients or suppliers involved in the incident, or the increased insurance premiums that follow a claim. In practice, the full cost typically runs to 1.5 to 2 times the direct financial loss.
The advice to "independently verify" requests is correct but incomplete. The specific mechanism matters enormously. Independently verifying a request by replying to the email that contained the fraudulent instruction is not independent verification — it reaches the attacker. Independent verification means calling the supplier on a pre-existing, trusted phone number from your contacts — not a number provided in the suspicious email. That specific instruction is missing from most published guidance.
Multi-channel attacks demand a multi-channel defence. A staff member who receives a convincing email followed by a phone call from someone claiming to be the managing director confirming the payment is facing a qualitatively different attack than a standalone email. The combination of channels is what converts a suspicious email into a successful fraud. Staff must be explicitly briefed that a phone call confirming an unusual request should increase, not reduce, scrutiny.[^3]
The Controls That Work
The practical action list for any Irish SME is straightforward. Write a one-page supplier bank change procedure stating that any request — by any channel — to change bank details must be verbally confirmed by calling the supplier on a number from your existing records. No exceptions. Name who is responsible for this verification and require a written record of the call.
Set a dual-approval threshold. Agree a payment value above which two named individuals must independently authorise the transfer. A threshold of €5,000 is a reasonable starting point for many Irish SMEs. This single control stops CEO impersonation fraud: an attacker who convinces one person cannot alone authorise the transfer.
Brief staff explicitly on multi-channel attacks. The phone call that follows the email is not confirmation — it is the second layer of the attack. This one briefing could prevent many of the more sophisticated incidents currently reaching the Garda NCCB.
Implement DMARC at enforcement level on your domain. This prevents fraudsters from sending emails that appear to come from your own domain, protecting your clients and suppliers from being targeted using your brand.
What Next: Three Actions
First, read today's FraudSMART data and share it with your finance team this week. The €19 million figure is a useful prompt for a conversation about whether your verification procedures are adequate. The data from BPFI is available at fraudsmart.ie and worth discussing at your next team meeting.
Second, write and brief the one-page supplier bank change procedure. One page. One rule. Brief it at the next team meeting. Post it where finance staff will see it daily. This single procedure would have prevented the Donegal engineering firm incident described above and the majority of invoice redirection losses reported in today's FraudSMART data.
Third, set your dual-approval threshold today. A five-minute conversation between the managing director and the finance team. A written note of the decision. Done. This control requires no technology and no external support — just a decision and a written record.
[^1]: RTÉ — Email-related scams cost Irish SMEs €19m over two years [^2]: An Garda Síochána — Cybercrime [^3]: Data Protection Commission Ireland
Related Reading
- CEO Fraud and Urgent Payment Scams in Ireland
- Reducing Business Email Compromise Risk in Ireland
- How to Add DMARC to Your Irish Business Email
Pragmatic Security — Cybersecurity advisory for Irish businesses. Based in Donegal, Ireland. CISA, CISSP, CISM certified advisors.