A Donegal accountancy firm discovered it had been compromised not through any alert, any security tool, or any internal review — but because a client phoned to query a payment request that did not look right. The email had come from the firm's own address, it used the correct client name, it referenced the right invoice number, and it asked for payment to a new bank account due to an internal banking change. The client paused. The firm's director, when asked, had no knowledge of the email. The investigation that followed revealed that an attacker had been sitting silently inside the firm's email system for nearly fourteen weeks. They had read client correspondence, mapped payment relationships, understood the firm's language and processes, and then struck at the exact moment a large invoice was due. The total exposure was €38,000.
That pattern — silent access, patient observation, precise timing — is the defining feature of business email compromise, and it is the most financially damaging cyber threat facing Irish professional services firms right now. This post explains how it works, why accountancy firms are specifically targeted, and what you can do to detect it before it costs you or your clients money.
WHAT
Business email compromise (BEC) is not a smash-and-grab attack. It is a long-game fraud that begins with credential theft — typically through a phishing email that tricks the target into entering their email password on a fake login page — and ends weeks or months later when the attacker has gathered enough intelligence to make a fraudulent payment request that looks completely convincing.
The average dwell time for a compromised email account — the period between initial access and detection — is measured in months, not days. During that window, the attacker is not making noise. They are reading. They are learning the names of clients and suppliers, the language the firm uses in correspondence, the timing of regular payments, and the preferences of individual partners or directors. By the time they send the fraudulent payment request, they know your client well enough to impersonate your firm in a way that internal security tools often cannot detect, because the email comes from a legitimate account, from a legitimate server, using legitimate language.
Accountancy firms are high-value targets for several reasons. They process large payments on behalf of clients. They are trusted intermediaries — their emails are opened, their instructions are followed. They hold sensitive financial information about multiple clients, making a single compromised account a window into many potential victims. Professional services firms in Ireland have historically invested less in cybersecurity than financial institutions, making them comparatively accessible targets.
When did you or your accountant last check whether your email account had any unexpected inbox rules, forwarding addresses, or login activity from unfamiliar locations? Book a free 20-minute strategy call — we can walk you through the specific indicators of email compromise and how to check for them quickly.
WHAT NOW
Detecting a silent email compromise requires knowing what to look for, because the attacker's goal is to remain invisible. There are several specific indicators that, taken together, should trigger an immediate investigation.
The first is unexpected inbox rules. Attackers who compromise an email account routinely create rules that forward copies of incoming emails to an external address, or that automatically move security alerts and password reset notifications to a folder you are unlikely to check. In Microsoft 365 and Google Workspace, you can review your active inbox rules in a few clicks. If you find a rule you did not create, treat it as a confirmed compromise until proven otherwise.
The second is login activity from unexpected locations or devices. Most email platforms log every login, including the IP address and device type. If your account shows successful logins from IP addresses in Eastern Europe, West Africa, or anywhere you have never been, an attacker has your credentials. This is viewable in the security section of your email account settings.
The third is changes to your email signature or reply-to address. Attackers sometimes modify signatures to include alternative contact details, or change the reply-to address so that replies from clients go to the attacker's address rather than yours. Check these settings directly — do not rely on what you see in your sent mail.
The NCSC Ireland advises organisations to monitor for unusual account activity and to implement technical controls that limit the ability of compromised accounts to cause harm.[^1] Multifactor authentication is the single most effective control: even if an attacker has your password, MFA prevents them from logging in without access to your phone or authentication app. If your accountant's email platform does not have MFA enabled, that should be addressed today, before anything else.
WHY IT MATTERS
The Garda National Cyber Crime Bureau has identified business email compromise as a priority threat area for Irish businesses, with reported losses running into millions of euros annually.[^2] The fraud is particularly difficult to recover from because the payments are typically authorised by the victim — they believe they are paying a legitimate supplier or responding to a legitimate instruction from their accountant. By the time the fraud is discovered, the money has moved through multiple accounts and is often unrecoverable.
For the accountancy firm, the consequences extend beyond the immediate financial loss. If client funds are redirected due to a compromise of the firm's email system, the firm may bear professional liability. The Data Protection Commission would also need to be notified: a compromised email account containing client financial information is a personal data breach under GDPR, triggering a 72-hour notification obligation to the DPC and potentially to affected clients.[^3] Accountancy practices in Donegal, Dublin, Limerick, and across Ireland that handle client financial data are subject to these obligations regardless of their size.
The reputational damage is often the longest-lasting consequence. Clients who receive fraudulent payment requests from their accountant's email address — even if they do not fall victim — lose confidence in the firm's ability to protect their information. Rebuilding that trust requires demonstrating that the firm has identified the root cause, closed the access, and implemented controls to prevent recurrence.
If an attacker has been reading your email for the past three months, would you know? Do you have the logs and the monitoring in place to find out? Book a free 20-minute strategy call — we help professional services firms in Ireland identify and respond to email compromise quickly and discreetly.
WHAT NEXT
First, enable multifactor authentication on every email account in your firm today. This is the single highest-impact action you can take against business email compromise. If your current email platform does not support MFA, change platforms. The cost of MFA is negligible compared to the exposure it eliminates.
Second, audit your inbox rules and login history now. Do not wait for a client to flag a suspicious email. In Microsoft 365, your administrator can review all inbox rules across all accounts from the Exchange admin centre. Look for rules created in the last six to twelve months that forward mail externally or redirect security notifications.
Third, establish a payment verification protocol with your clients — and ask your accountant to do the same. Any request to change bank account details should be verified by a phone call to a known number, not by replying to the email. This single step, consistently applied, prevents the vast majority of successful BEC attacks. It costs nothing and requires no technology.
Business email compromise works because it is patient, it is precise, and it is trusted. An email from your accountant's real address, written in their real voice, referencing your real invoice, is difficult to question in the moment. The defence is not suspicion — it is verification, monitoring, and the basic technical controls that make silent access far harder to sustain.
Related Reading
- BEC Fraud Is Hitting Donegal Firms Every Week
- AI-Powered Phishing: Why Your Employees Can No Longer Spot the Fakes
- 197 Days to Discover a Breach: What That Means for Your Irish SME
[^1]: NCSC Ireland — Advice for Organisations: https://www.ncsc.gov.ie/advice-for-organisations/ [^2]: An Garda Síochána — Cyber Crime: https://www.garda.ie/en/crime/cyber-crime/ [^3]: Data Protection Commission — Ireland: https://www.dataprotection.ie
Pragmatic Security — Cybersecurity advisory for Irish businesses. Based in Donegal, Ireland. CISA, CISSP, CISM certified advisors.