What Happened When a Wexford Construction Firm's Email Was Compromised for Six Weeks

A 15-person construction firm in County Wexford — supplying materials to sites from Waterford to Dublin — discovered they had been hacked when a client phoned to say a payment was overdue. The client had paid. The money had gone to a different bank account entirely. That call triggered the discovery that the firm's email had been under the silent control of cybercriminals for six weeks — and that €47,000 in client payments had been redirected. This is a composite case study based on real incidents investigated by our team, with details anonymised. It shows how quickly a single phishing email can become a business-ending financial crisis, and why the defences that would have prevented it cost a fraction of what the incident cost to survive.

How It Started: A Single Click

The entire incident began with a convincing phishing email received by an employee in the accounts department. The message appeared to come from the firm's IT support provider and warned of a critical security update for their Microsoft 365 account. The link led to a fraudulent login page — a pixel-perfect replica of the official Microsoft portal. The employee entered their credentials.

In that moment, the attackers had everything they needed. The single biggest failure was the absence of Multi-Factor Authentication, which would have stopped this attack entirely. Even with the correct password, MFA would have blocked the attackers at the second factor[^1]. Instead, they walked straight in.

Has your business enabled MFA across all email accounts? Book a free 20-minute strategy call — this is the single most impactful security control for Irish SMEs and takes less than two weeks to deploy.

Six Weeks of Silent Surveillance

Once inside the account, the attackers were patient and methodical. Their immediate priority was not chaos but invisibility. They created an inbox rule that automatically forwarded a copy of every incoming and outgoing email to an external address they controlled. This rule was hidden from the user's normal view.

For six weeks, the attackers had a real-time, comprehensive window into the firm's business. They studied client communications, invoicing patterns, project timelines, and the specific language used by employees. They were building a profile to make their eventual strike as convincing as possible.

The Theft: €47,000 Over Three Invoices

When the attackers identified a large invoice scheduled to be sent to a trusted client, they intercepted it before it was dispatched. They created a forgery — identical branding, correct project details, same total amount — with only the bank account number changed. The fraudulent invoice was sent from the compromised employee's own email address.

The client paid. Then the attackers repeated the process with two further clients, diverting an additional €22,000. The crime was discovered only when an accounts employee made a routine call about an apparently overdue payment. The client had paid weeks earlier, and forwarded the receipt as proof. The unfamiliar IBAN on the receipt made the scale of the deception immediately clear.

The immediate financial loss of €47,000 was devastating, but the consequences extended further. Long-standing client relationships were damaged. Management time was diverted to incident response for weeks. The firm faced a potential GDPR breach notification obligation to the Data Protection Commission, since the attackers had accessed six weeks of emails containing personal data. An Garda Síochána reports that Business Email Compromise fraud of this type is costing Irish businesses millions each year[^2].

The Response: What the Firm Did Right

Faced with a severe financial and reputational crisis, the firm took swift action. Their response provides a template for any Irish business.

First, they enforced a company-wide password reset and deployed Multi-Factor Authentication for every employee. This immediately locked the attackers out and closed the entry point that had caused the entire incident.

Second, they engaged a cybersecurity consultant to conduct a forensic audit of their Microsoft 365 environment. The consultant examined every account for hidden inbox rules, suspicious login patterns from unusual locations, and any unauthorised changes to permissions. This confirmed the full scope of the compromise and eliminated every attacker persistence mechanism.

Third, they implemented a payment verification protocol. All notifications of changes to bank details now require independent verification via a phone call to a previously known contact number. For invoices above a threshold value, a member of the accounts team calls the client to verbally confirm the bank details before payment is expected. This simple human control makes invoice fraud almost impossible.

Finally, they invested in ongoing security awareness training for all staff — not a one-off event but a continuous programme covering how to identify phishing red flags, the importance of MFA, and the new payment verification procedures.

The most effective defences against Business Email Compromise are not expensive or complex — they are the foundational controls that most Irish SMEs have not yet implemented.

What Next

1. Enable Multi-Factor Authentication on all email accounts today. This is the single most important control for preventing email compromise. The NCSC Ireland recommends MFA as a baseline security requirement for all organisations[^1]. It takes one to two weeks to deploy across a typical Irish SME.

2. Audit your Microsoft 365 environment for hidden inbox rules. If your email has already been compromised, attackers may have created forwarding rules that are invisible in the standard view. An IT provider or security consultant can check this in under an hour.

3. Implement a verbal payment verification protocol. Any change to a supplier's bank details — received by email — should be confirmed by a phone call to a number you already hold on file, not to any number provided in the email. This single process change prevents the most common form of invoice fraud used against Irish businesses.

Related Reading

• What Is Business Email Compromise and Why Irish SMEs Are Prime Targets
• What Your Cyber Insurer Wants to See — and How to Get There Fast
• Your Systems Are Encrypted Right Now — What to Do in the First 60 Minutes

[^1]: NCSC Ireland — Advice for Organisations [^2]: An Garda Síochána — Cyber Crime [^3]: Data Protection Commission Ireland

Pragmatic Security — Cybersecurity advisory for Irish businesses. Based in Donegal, Ireland. CISA, CISSP, CISM certified advisors.