When a Letterkenny solicitors firm received an email last year appearing to come from a senior partner requesting an urgent funds transfer, the office manager nearly processed it. The email looked authentic — correct name, plausible subject line, professional tone. What stopped her was a moment's pause and one small detail: the reply-to address ended in a Gmail domain, not the firm's own. That pause saved the firm from losing €18,000 to a Business Email Compromise (BEC) scam. The attack was a phishing email — the single most common way cybercriminals break into Irish businesses.
What Phishing Is
Phishing is when an attacker sends a message — almost always by email, sometimes by SMS or voice call — designed to trick you into doing something harmful. That might mean clicking a malicious link, downloading an infected file, handing over your login credentials, or authorising a payment to an account you don't control. The message is crafted to look legitimate: it might mimic your bank, your cloud software provider, a supplier, or even a colleague or director in your own business.
According to the NCSC Ireland, phishing remains the primary initial access method in the vast majority of reported cyber incidents affecting Irish organisations.[^1] The threat has grown more sophisticated in recent years. Attackers now use AI tools to craft grammatically flawless messages, clone legitimate email templates in detail, and personalise attacks using information gathered from LinkedIn, company websites, and social media. The era of catching phishing by looking for typos is largely over.
Is your team confident they would catch a well-crafted phishing email before clicking? Book a free 20-minute strategy call — we can walk you through a phishing simulation approach that identifies real gaps without embarrassing your staff.
What to Look For
Despite the sophistication of modern attacks, phishing emails almost always exhibit at least one telltale sign. You need to know where to look.
The sender address is the first place to check. The display name in your email client can say anything — "Bank of Ireland Support" or "Mary from Accounts" — but the actual email address beneath it is harder to fake convincingly. Look closely. Attackers use domains that are one letter off (pragmaticsecurity.ie versus pragmaticssecurity.ie), or legitimate-sounding subdomains (support.microsoft.com.phishingdomain.ru). If the reply-to address differs from the from address, treat this as an immediate red flag.
The body of the email carries several signals worth examining. High-pressure language is a classic technique: "Your account will be suspended in 24 hours," "Immediate action required," or "This is time-sensitive." Legitimate services rarely demand you act without any thinking time. Similarly, requests that fall outside normal business process — a supplier emailing a bank account change, a director requesting an urgent transfer via email alone, an invoice from someone you have no relationship with — deserve scrutiny regardless of how polished the message looks.
Links in emails are another critical check point. Before clicking anything, hover your mouse over the link and read the actual URL displayed at the bottom of your browser or email client. The displayed text might say "Click here to verify your account" while the actual destination is a domain you have never heard of. Shortened URLs (bit.ly and similar services) hide the real destination entirely and should be treated with great suspicion unless you are expecting them from a specific trusted source.
Attachments follow a similar logic. An unexpected invoice, a shipping notification with an attached PDF, a document requiring you to "enable macros to view" — these are common delivery methods for malware. If you were not expecting an attachment, verify it by calling the sender directly using a number you already have, not one provided in the email itself.
Why This Matters for Irish Businesses
An Garda Síochána's National Cyber Crime Bureau (NCCB) reports a consistent rise in phishing-related fraud affecting Irish SMEs, including firms across Donegal, Sligo, and the North West.[^2] For small businesses, the financial consequences of falling victim are compounded by the legal ones. If a phishing attack leads to a data breach — customer records exposed, employee data compromised — the Data Protection Commission (DPC) expects notification within 72 hours and may investigate whether reasonable security measures were in place.[^3]
Businesses in sectors that handle large volumes of payments — construction, property, professional services, hospitality — are disproportionately targeted. Attackers know that accounts teams in busy SMEs are under time pressure and less likely to pause and verify.
Phishing is not primarily a technology problem — it is a human problem, and training is the most cost-effective defence you have.
What to Do Next
Training your team is step one, but it has to be practical and regular. A once-a-year slideshow achieves very little. The NCSC Ireland recommends ongoing awareness programmes that include simulated phishing tests to give staff safe practice at spotting real attacks.
Here are three actions you can take this week:
Check your email authentication. Ask your IT provider or email administrator whether your domain has SPF, DKIM, and DMARC records published. These technical controls make it much harder for attackers to spoof your domain and send phishing emails that appear to come from you. If you are not sure what these are, our post on email authentication covers them clearly.
Establish a verification habit. Agree across your business that any request involving payments, credential changes, or sensitive data that arrives by email alone will be verbally verified before acting. This single habit stops the majority of BEC attacks.
Report suspicious emails. The NCSC Ireland operates a suspicious email reporting service. Encouraging your team to forward suspected phishing to your IT contact or directly to the NCSC builds awareness and contributes to national threat intelligence.
Phishing will not disappear, and attackers will keep improving their techniques. But a team that knows what to look for, has a clear process for verifying unusual requests, and knows who to report to is dramatically harder to compromise than one that has never discussed the subject at all.
Related Reading
- AI-Powered Phishing: Why Your Employees Can No Longer Spot the Fakes
- Building a Human Firewall: Security Awareness Training That Actually Works
- BEC Fraud in Donegal Firms Every Week
[^1]: NCSC Ireland — Advice for Organisations: https://www.ncsc.gov.ie/advice-for-organisations/ [^2]: An Garda Síochána — Cyber Crime: https://www.garda.ie/en/crime/cyber-crime/ [^3]: Data Protection Commission — Breach Notification: https://www.dataprotection.ie
Pragmatic Security — Cybersecurity advisory for Irish businesses. Based in Donegal, Ireland. CISA, CISSP, CISM certified advisors.