Protecting Payment Systems and Online Banking From Malware and Social Engineering.

On a Thursday afternoon at a Donegal construction company, the finance director logged into their business banking portal to authorise a payroll transfer. They did not know that a keylogger had been installed on their computer three weeks earlier through a phishing email. The keylogger captured their banking credentials as they typed. Within two hours of the authorisation, the criminals had used those credentials from a different device in a different country to initiate a €38,000 transfer to a fraudulent account.

The bank's security system flagged the transfer as suspicious. It was processed anyway because the criminals also had the one-time passcode from the finance director's phone — intercepted through a simultaneous SIM-swap attack on the finance director's mobile number.

This attack combined malware, credential theft, and telecommunications fraud. Each element addressed one of the security layers protecting the account.

Why Business Banking Is the Priority Target

Business banking accounts are the most directly monetisable target in any cybercrime operation. Unlike data, which requires a secondary criminal process to convert to cash, business banking credentials provide direct access to funds. This makes them the specific target of the most technically sophisticated attacks facing Irish SMEs.

The consequences of a successful banking attack are immediate, often irreversible (wire transfers are extremely difficult to recover once executed), and potentially catastrophic for a business's cash flow.

The Four Primary Attack Vectors Against Business Banking

Credential theft through phishing or malware. A keylogger or infostealer malware captures banking credentials as they are typed. Banking-specific phishing pages — convincing replicas of Irish bank login portals — capture credentials when the victim types them into a fake site reached through a phishing link. The captured credentials are then used from a different device.

Session hijacking. As described in the Microsoft 365 context elsewhere in this series, session cookies can be captured and replayed. Banking sessions with inadequate timeout policies are vulnerable to this approach if the session cookie is captured during an active session.

SIM-swapping. An attacker contacts the victim's mobile provider, impersonates them, and requests a SIM transfer that routes the phone number to a new SIM controlled by the attacker. OTP codes sent by SMS to that number are then received by the attacker. Irish mobile operators have improved their SIM-swap verification processes in response to fraud reports, but the attack remains viable against businesses that use SMS-based OTP for banking [^1].

Social engineering of bank staff. An attacker who already has some banking information calls the bank's business support line, impersonates the account holder, and requests changes — new payees, increased transfer limits, temporary security bypass. Irish banks have tightened verification procedures but remain a potential vector, particularly through branch staff in smaller locations.

Are your business banking credentials stored in a password manager, or are they remembered — and possibly reused — by the staff who use them? This question identifies one of the most common banking security gaps in Irish SMEs. Book a free 20-minute strategy call — banking security controls are a specific focus of our payment security assessments.

The Controls That Protect Business Banking

Dedicated device for banking. Where operationally feasible, use a specific device exclusively for business banking and payment authorisation. This device is used for nothing else — no email, no web browsing, no document access. The absence of general-purpose use dramatically reduces the probability of malware infection on that specific device. This is the highest-impact single control for businesses handling significant payment volumes.

Hardware token MFA for banking. Replace SMS-based OTP with hardware token MFA for business banking where your bank supports it. Hardware tokens are not vulnerable to SIM-swapping. Most major Irish banks — AIB, Bank of Ireland, Ulster Bank successors — support hardware tokens for business accounts. Contact your business banking manager to discuss the options.

Dual authorisation for all significant transfers. A requirement that all transfers above a defined threshold require authorisation from two separate individuals, on two separate devices, through two separate authentication events. This is both a fraud prevention measure and a banking security control — an attacker who compromises one individual's credentials cannot alone authorise a transfer that requires a second authorisation.

IP address restrictions where available. Some business banking platforms allow you to restrict account access to specific IP address ranges. Configuring this to include only your office IP address and named home worker IP addresses means that access from an unexpected location — which an attacker's device would present — is blocked automatically.

Malware protection on banking devices. Managed endpoint protection, kept current, on every device used for banking. This does not guarantee that malware cannot be present — it significantly reduces the probability and the dwell time if it is.

Why This Matters Right Now

An Garda Síochána's National Cyber Crime Bureau reports that banking fraud — including both credential theft and social engineering attacks on business accounts — is the highest-value cybercrime category targeting Irish businesses, with average losses per successful attack consistently in the tens of thousands of euros [^1]. The NCSC Ireland has issued specific guidance noting an increase in targeted banking fraud against Irish SMEs in professional services, construction, and retail sectors.

Business banking fraud is almost always preventable. The attacks that succeed do so because specific, available controls were not in place. The controls above are not sophisticated. They are deliberate, consistent, and effective.

What Next

1. Contact your business bank this week to discuss hardware token MFA. Ask specifically whether your account tier supports hardware token authentication and what the process is to enable it.

2. Implement dual authorisation for transfers above your threshold. This is a banking platform configuration change, not an IT change. Most Irish business banking platforms support it. If yours does not, that is a factor in your banking provider review.

3. Assess whether a dedicated banking device is appropriate for your business. For businesses processing significant payment volumes, this is a high-return investment — a modest device used exclusively for banking eliminates the entire malware-based credential theft vector.

Ready to find out exactly where your business stands? Book a free 20-minute strategy call with our vCISO team at www.pragmaticsecurity.ie/book-a-call. No sales pitch. No jargon. Just clarity on your cyber risk — and a clear plan to address it.

Related Reading

• Fraud Prevention in Finance: Dual Approval, Call-Backs and Process Controls Around Payments
• Email Fraud and Invoice Redirection Scams: How They Work and How to Stop Them
• Password Policies, Password Managers and MFA: Cheap Changes That Block Most Account Takeovers

[^1]: An Garda Síochána — National Cyber Crime Bureau [^2]: NCSC Ireland — Banking Security Guidance [^3]: Data Protection Commission Ireland

Pragmatic Security — Cybersecurity advisory for Irish businesses. Based in Donegal, Ireland. CISA, CISSP, CISM certified advisors.