Why it's now time for all businesses to become savvy about avoiding email fraud
What have Trinity College, Dublin Zoo and the Louth and Meath Education and Training Board got in common? Sadly, they've all been conned out of large amounts of money by clever forms of email fraud.
Dublin's oldest university was stung for almost £700,000 in 2017 when a scammer got hold of the email account owned by an employee of the college's fundraising division. The crook transferred the money to another account. While Trinity recovered £190,000 of the money, it also spent £160,000 on investigating the cyber fraud.
That same year, Dublin Zoo was hit for almost £440,000 when fraudsters posed as one of the zoo's suppliers, claiming that their banking details had changed. When the zoo then paid subsequent invoices it received from the actual supplier, the scammers got the cash. While neither the zoo nor gardai have officially commented on the money's whereabouts, it's understood that most of the cash was retrieved.
Meanwhile, Ryanair got tricked in 2015 when over £3.9m was diverted from an account meant to pay fuel bills.
This kind of fraud is called different names, including 'invoice redirection fraud', 'invoice fraud' or 'business email compromise fraud'.
It's related closely to 'CEO fraud'.
The basics are that someone poses as a known supplier or executive inside or outside the company. They use an email address or domain to dupe a company's financial officers into transferring sums of money to bogus accounts they've set up. They carry this off often by posing as a supplier that has 'changed' its bank account details.
It's not just Irish organisations that are getting hit.
Even sophisticated tech giants get caught by fraud. Facebook and Google between them saw close to $100m drained away in 2015 using a series of forged invoices, contracts and letters that appeared to have been executed and signed by executives at the multinational firms. Last month, a Lithuanian man pleaded guilty in a US court to the fraud.
One of the fundamental problems of email, invoice and CEO fraud is that the internet makes it incredibly easy to fake an email, a web domain, a text number or even a phone number.
This ranges from so-called 'prank' services such as Spoofbox, Deadfake and Anonymailer to much more sophisticated bespoke systems. Anyone with even a cursory knowledge of programming can also get in on the act with a few simple lines of code. In about 10 minutes, it's possible to send someone an email purporting to show the email address of almost anyone - private or public - you choose.
Systems try to deal with this by using protocols such as DMarc, which gives a recipient's mail system an idea of a sender's trustworthiness. But only a minority of web domains use this, leading to problems with standardisation.
"DMarc is a good indicator of hygiene," says Brian Honan, founder of cybersecurity specialist firm BH Consulting.
"But just because you have it, it doesn't mean that people can't spoof you. It just means extra locks on your door."
Precise figures as to the exact scale of invoice redirection fraud (and related scams like CEO fraud) in Ireland aren't publicly available. But one of the country's top investigating detectives says that it's a "rising problem" here.
"It's very difficult or know how many there are on a weekly basis," says Detective Chief Superintendent Patrick Lordan of the Republic's Financial Intelligence Unit. "Some weeks we come across one or two, some weeks it's more or less. Some are investigated locally, while the bigger ones are where the money goes out internationally. But there has been a substantial rise in prosecutions for money laundering in Ireland. We have a lot of cases under way. People are being charged."
A recent survey by polling company Behaviours and Attitudes, using Central Statistics Office data, found that 21% of Irish SMEs were targeted for invoice redirection fraud in 2018, with about a third targeted for financial fraud generally.
Of these, the survey found that one in 18 of the attempts were successful.
Overall, a total of 4,257 Irish companies found themselves hit by some sort of IT-based scam in 2018, with email phishing (72%) still the most common form of attack. 'Vishing', which is similar to phishing except using a phone, was experienced by 26% of victims, with just over a fifth seeing an invoice redirection scam get to them.
Conor Flynn, managing director of security specialist firm Isas, says: "What you're up against now is highly capable, motivated people who see the opportunity to commit a crime. These are people who are patient, whose first language is English, who have business acumen. They gradually get involved in business discussions in their victims' networks."