The accounts manager at a Letterkenny construction firm received an invoice on a Tuesday morning in October. It came from a subcontractor the business had worked with for six years. The email address looked right. The invoice template looked right — same logo, same formatting, same font. The covering email even referenced the specific project by name and mentioned a conversation the accounts manager had actually had with the subcontractor's project lead the previous week. The only thing that had changed was the bank account number in the payment details section.
The accounts manager processed the payment. Within four hours, €67,000 was on its way to a bank account in Lithuania. The real subcontractor called the following morning asking why their monthly payment had not arrived.
What made this attack different from previous invoice fraud attempts was not the criminal's audacity. It was the technology. The email had been generated using an AI tool trained on months of previous correspondence between the two companies. The invoice had been reconstructed from a PDF the attacker had obtained either through a phishing attack on one of the two firms, or from a compromised email thread. The covering note referenced real project details scraped from planning documents available through the local county council's public planning portal. Not a single element of the communication was improvised.
WHAT: How AI Has Changed Invoice Fraud
Business email compromise — BEC — has been an established threat to Irish businesses for years. An Garda Síochána and the Garda National Cyber Crime Bureau have consistently identified it as one of the highest-value fraud categories targeting Irish companies.[^2] Traditionally, BEC relied on attackers crafting plausible but imperfect emails and hoping that volume would overcome scrutiny. Misspellings, odd phrasing, and generic greetings were the tells that a trained employee might spot.
Generative AI tools have changed that calculation. An attacker with access to even a handful of previous email exchanges can now instruct an AI model to write a new message in the same voice, at the same level of formality, referencing the same projects and people. The output is not a generic phishing email. It is a replica that mimics the relationship — the in-jokes, the abbreviations, the characteristic sign-offs — in a way that no human fraudster could manage alone at scale.
Invoice fraud using AI-generated documents is now common enough that the NCSC Ireland has specifically flagged the use of AI in social engineering attacks as an emerging threat requiring new controls, not just increased vigilance.[^1] Vigilance alone is not enough when the fake is indistinguishable from the real thing. The Letterkenny case is not unusual. Similar incidents are being reported to An Garda Síochána from businesses in Cork, Galway, Dublin, and across Donegal on a weekly basis.
WHAT NOW: The Controls That Work
The fundamental problem with AI-enhanced invoice fraud is that it defeats inspection-based defences. If you cannot tell a fake invoice from a real one by looking at it, training your staff to look more carefully does not solve the problem. What works is removing the single-person decision from the payment process entirely.
Has your accounts team had a payment request that felt slightly off — but went ahead anyway? Book a free 20-minute strategy call — we will review your payment approval process and identify the gaps before a fraudster does.
Dual authorisation for payments above a defined threshold is the single most effective control against BEC and invoice fraud. If no payment above €5,000 can be processed without a second person reviewing and approving it, you have immediately halved the fraud surface. The threshold should reflect your business — a company that regularly processes large subcontractor payments may need a higher threshold managed by two senior people; a smaller firm may set the bar at €1,000. The point is not the specific number. It is the structural requirement for a second set of eyes.
Callback verification — contacting the supplier by phone on a pre-verified number before processing any change to bank details — is the second essential control. If a payment request includes new or updated banking information, that change must be verified by calling the supplier directly on a number held in your existing records, not a number provided in the email or on the invoice itself. This one process, if consistently followed, would have prevented the Letterkenny case entirely. The accounts manager had a standing relationship with the subcontractor. A thirty-second phone call would have confirmed that no bank account change had been requested.
Email authentication — specifically DMARC, DKIM, and SPF records on your domain — reduces the risk of attackers sending emails that appear to come from your address or your suppliers' addresses. The NCSC Ireland recommends these controls for all organisations as part of basic email security hygiene.[^1] They do not stop all BEC, but they significantly narrow the attack surface.
WHY IT MATTERS: Regulation and Recovery
The Data Protection Commission's guidance makes clear that if personal data was exposed in the course of the fraud — for example, if the attacker obtained the information through a breach of employee or customer records — there may be a GDPR notification obligation.[^3] The 72-hour clock for notifying the DPC begins from the moment the organisation becomes aware that a breach has occurred, not from the moment a payment is made.
Beyond the regulatory angle, the financial recovery rate for BEC fraud in Ireland is poor. Once funds leave an Irish bank account and are transferred internationally, the ability of An Garda Síochána and the banking system to freeze and recover them diminishes rapidly with time. The Letterkenny firm recovered approximately €12,000 of the €67,000 through emergency bank action initiated within two hours of discovering the fraud. The rest was gone.
Cyber insurance policies increasingly require documented controls — dual authorisation, callback procedures, email security records — as conditions of coverage for BEC losses. A business that processes a fraudulent payment without those controls in place may find that its insurer declines the claim on the grounds that reasonable precautions were not taken. This is not a theoretical risk. Irish insurers have declined BEC claims on exactly these grounds.
WHAT NEXT: Three Actions Before Next Week
First, document your payment authorisation process. Write down, in one page, what happens when an invoice arrives, who approves it, at what value a second approval is required, and what the process is for verifying bank detail changes. If no such document exists, create it. Having a written process also matters for insurance purposes — it is evidence that a control exists.
Second, build and maintain a verified supplier contact list. For every supplier you pay regularly, record a verified phone number and email address in a document that is stored separately from your email system. When a bank detail change request arrives, the person processing it uses the number from this list — not the contact details in the email.
Third, ask your IT provider or email administrator whether DMARC is configured on your domain. A simple online DMARC lookup tool — several are freely available — will tell you in thirty seconds whether your domain is protected. If it is not, fixing it is a technical task that typically takes a few hours and costs nothing in tool fees.
The controls that stop AI-enhanced invoice fraud are not expensive or complicated. They are process changes that most Irish businesses can implement in a week. Book a free 20-minute strategy call — we will help you build a payment fraud prevention process that is proportionate to your business and actually works.
The Letterkenny firm has since implemented dual authorisation for all payments over €2,500 and a formal callback procedure for any bank detail changes. Their accounts manager describes the new process as adding about two minutes to each payment cycle. Against a loss of €67,000, that is a reasonable trade.
Related Reading
- BEC Fraud: The Fraud That Targets Donegal Firms Every Single Week
- Deepfake Threats to Irish Businesses: CEO Fraud Gets a Voice
- Building a Human Firewall: Security Awareness Training That Actually Works
[^1]: NCSC Ireland: https://www.ncsc.gov.ie/advice-for-organisations/ [^2]: An Garda Síochána: https://www.garda.ie/en/crime/cyber-crime/ [^3]: DPC: https://www.dataprotection.ie
Pragmatic Security — Cybersecurity advisory for Irish businesses. Based in Donegal, Ireland. CISA, CISSP, CISM certified advisors.