Irish SMEs Lost €19 Million to Email Scams in Two Years. Here Is What the Numbers Don't Tell You.

On a Tuesday morning last autumn, the accounts payable manager at a Donegal engineering firm updated a supplier's bank details based on an email that appeared to come from a long-standing contact at a concrete supplier they had used for six years. The email address was one character different from the real one — a lower-case L replaced with a capital I, indistinguishable in the font used by their email client. The next three invoices — totalling €31,000 — went to a criminal's account in Latvia. The real supplier followed up four weeks later asking when payment was expected.

This morning, new data from FraudSMART — the fraud awareness initiative run by Banking & Payments Federation Ireland — confirms that this scenario is happening across the country at scale. RTÉ's Fergal O'Brien reports that Irish SMEs lost almost €19 million to email-related scams over the past two years, with companies that fell victim losing an average of more than €22,000 each [^1].

The numbers are significant. Some of what the campaign says in response to them is useful. Some of it stops well short of what Irish SMEs actually need to do.

What the FraudSMART Data Shows

The headline figures are striking enough. €19 million in two years. Average losses of €22,000 per impacted company. But the survey data published alongside them is more revealing about the scale of the exposure.

More than two thirds of SMEs — 67% — reported being targeted by a financial scam in the past twelve months. That is not a minority concern. That is a majority experience.

78% of those businesses received unexpected or urgent requests that raised suspicion. The urgency framing — "we need this by end of day," "this is time-sensitive," "please keep this confidential" — is a consistent feature of the most successful attacks. It is designed to suppress the instinct to verify.

Email is the primary channel, accounting for 88.4% of attempted scams, with phone calls at 51.2% and text messages at 48.8%. The channel split matters because the advice most businesses receive focuses almost entirely on email security. Over half of attacks also involve a phone call or SMS — usually to amplify the email, add apparent legitimacy, and increase the pressure to act.

FraudSMART's Head of Financial Crime at BPFI, Niamh Davenport, specifically noted that fraudsters are increasingly combining channels — following up an email with a phone call or text — to create a greater sense of urgency and legitimacy. This is accurate. It is also important, and it changes the defensive posture required.

Where the Official Advice Is Right

The practical recommendations from FraudSMART and ISME CEO Neil McDonnell are broadly correct. Verifying any change to supplier bank account details, introducing dual approval for higher-value payments, and making sure every member of staff knows the warning signs — these three measures would prevent the majority of successful invoice redirection attacks. They are also, as McDonnell says, not complicated.

The finding that 80% of businesses who received unexpected or urgent requests report taking actions to independently verify them before taking any action is genuinely encouraging. A culture where verification is the default response to unusual requests is the right culture.

The identification of invoice redirection and CEO impersonation as the dominant attack types is also accurate and consistent with what An Garda Síochána's National Cyber Crime Bureau reports in its own data [^2].

Two thirds of Irish SMEs were targeted by financial scams in the past year. If you are in business in Ireland, you have almost certainly been targeted. The question is whether the controls were in place when the attempt arrived. Book a free 20-minute strategy call — fraud prevention controls are one of the most requested assessments in our SME advisory practice.

Where the Official Advice Stops Short

Here is where the FraudSMART campaign's guidance, while sensible, leaves some significant gaps.

The €22,000 average almost certainly understates the true cost. The figure captures direct financial losses reported to banks and insurers. It does not capture the cost of the management time consumed by the investigation, the legal costs of attempting recovery, the reputational damage with clients or suppliers involved in the incident, the increased insurance premiums that follow a claim, or the operational disruption during the period of uncertainty. In the cases we see in practice, the full cost of a significant invoice redirection incident typically runs to 1.5 to 2 times the direct financial loss.

The 20% who do not verify before acting are the entire problem. The campaign highlights that 80% do verify — but the 20% who do not are precisely where the losses come from. An attack that is attempted a hundred times and succeeds 20 times is a highly successful attack. The campaign's framing risks creating a reassuring impression ("most businesses verify") that obscures the fact that one in five does not.

"Independently verify" needs to be defined more precisely. The campaign's advice to independently verify requests is correct but incomplete. The specific mechanism matters enormously. Independently verifying a request by replying to the email that contained the fraudulent request is not independent verification — it reaches the attacker, not the legitimate supplier. Independent verification means calling the supplier on a pre-existing, trusted phone number from your contacts — not a number provided in the suspicious email, not a WhatsApp message, not an email reply. A voice call to a known number. That specific instruction is missing from the general advice.

Multi-channel attacks demand a multi-channel defence. The campaign correctly identifies that fraudsters are combining email with phone calls and texts. But the recommended controls — fraud awareness training, dual approval, verify bank changes — are designed primarily for the email vector. A staff member who receives a convincing email, followed by a phone call from someone who sounds like the managing director confirming the payment, is facing a qualitatively different attack than a standalone email. The combination of channels is what converts a suspicious email into a successful fraud. The defence needs to address the combination: any phone call or text that follows an unusual financial email request should increase, not reduce, scrutiny.

The 53% without training figure is the most actionable finding in the entire report — and it deserves more weight. More than half of businesses report not having fraud awareness guidelines and training in place for employees, leaving their business exposed, according to Davenport. This is the gap that the €19 million flows through. Not sophisticated technical vulnerabilities. Not state-sponsored attackers. The absence of a one-page briefing and a basic procedure that 53% of Irish SMEs have not implemented.

The controls that prevent email fraud are not technically complex, and most of them are free. A written verification procedure, a dual-approval threshold, and an annual briefing to staff would materially reduce exposure for the majority of Irish SMEs that currently have none of these in place. Book a free 20-minute strategy call — we help Donegal and North-West businesses put exactly these controls in place.

The Specific Controls That Work

Given today's data, the practical action list for any Irish SME is straightforward.

Write a one-page supplier bank change procedure. Any request — by email, phone, letter, or any other channel — to change the bank account details of a supplier must be verbally confirmed by calling that supplier on a number from your existing records. No exceptions. The procedure should name who is responsible for this verification and require a written record of the call.

Set a dual-approval threshold. Agree a payment value above which two named individuals must independently authorise the transfer. The threshold should be set low enough to cover the majority of your supplier invoices — €5,000 is a reasonable starting point for many Irish SMEs. This single control stops CEO impersonation fraud in its tracks: an attacker who convinces one person cannot alone authorise the transfer.

Brief staff on multi-channel attacks specifically. The phone call that follows the email is not confirmation. It is the second layer of the attack. Staff should be explicitly briefed that a phone call confirming an unusual request is a warning sign, not reassurance.

Implement DMARC at enforcement level. This prevents fraudsters from sending emails that appear to come from your own domain — protecting your clients and suppliers from being targeted using your brand.

What Next

The FraudSMART report published today is a useful snapshot of the scale of the problem. The full article on RTÉ and FraudSMART's free business fraud guide are worth reading — particularly the ISME partnership materials aimed at SME owners [^1].

1. Read today's RTÉ article and share it with your finance team. The €19 million figure is a useful prompt for a conversation about whether your verification procedures are adequate.

2. Write and brief the one-page supplier bank change procedure this week. One page. One rule. Brief it at the next team meeting. Post it where finance staff will see it daily.

3. Set your dual-approval threshold today. A five-minute conversation between the managing director and the finance team. A written note of the decision. Done.

Ready to find out exactly where your business stands? Book a free 20-minute strategy call with our vCISO team at www.pragmaticsecurity.ie/book-a-call. No sales pitch. No jargon. Just clarity on your cyber risk — and a clear plan to address it.

Related Reading

• Spotting and Stopping CEO Fraud and Urgent Payment Scams
• Email Fraud and Invoice Redirection Scams: How They Work and How to Stop Them in Your Finance Process
• Practical Steps to Reduce the Risk of Business Email Compromise in Your Organisation

[^1]: RTÉ — Email-related scams cost Irish SMEs €19m over two years (FraudSMART / BPFI, 27 March 2026) [^2]: An Garda Síochána — National Cyber Crime Bureau [^3]: FraudSMART — Business Fraud Guidance [^4]: Data Protection Commission Ireland

Pragmatic Security — Cybersecurity advisory for Irish businesses. Based in Donegal, Ireland. CISA, CISSP, CISM certified advisors.