First the good news, relative at least. While ‘fraudulent payments are a growing concern in Europe…Irish fraud rates remain below EU averages’. That’s according to the Central Bank, which puts the rate of payment transactions impacted by fraud here at 0.001% by value and 0.01% by volume, or 1 in 100,000 and 1 in 10,000 transactions respectively. If not the worst of odds, they certainly leave no room for complacency.
Some 68% of Irish SMEs were targeted by scams in the past year, according to research by business representative group ISME and Banking & Payments Federation Ireland (BPFI). Niamh Davenport, head of financial crime at BPFI, says: ‘The majority of cases we are seeing are invoice-redirection scams, with losses of €15.7m between January 2023 and December 2024.’
‘Scams are not only financially damaging but can also seriously undermine trust’
Average losses per business are put at €11,500, and Davenport notes that ‘these scams are not only financially damaging but can also seriously undermine trust within a business’.
New levels of risk
Invoice redirection sees victims tricked into making payments into seemingly legitimate bank accounts that are in fact controlled by fraudsters. Ireland isn’t alone in seeing a rise in this kind of activity. Kathryn Westmore of the UK’s Centre for Finance and Security recently observed of invoice-redirection scams there that ‘their rise is probably the defining feature of the fraud landscape in the last 10 years’.
Unlike the scattergun approach of many spoof and phishing scams, a growing sophistication and audacity has come to characterise invoice-redirection fraud. Generative AI, allowing for the creation of convincing deepfake video and audio, has elevated the risk of scams such as CEO impersonation to a frightening new level.
Generative AI has elevated the risk of scams such as CEO impersonation
US cybersecurity expert Steven Spadaccini says that ‘employees, especially newer ones, are less likely to question directives that seem to come from the top. This inherent trust in leadership makes CEO impersonation a particularly effective and dangerous form of fraud.’
Government focus
Returning to relatively good news, the battle against cyber fraud looks set to be injected with new urgency by Ireland’s financial and legal authorities. The Programme for Government 2025 specifically calls out action on online fraud as a priority and makes a number of commitments to tackling it. These include measures to enhance collaboration, leverage advanced technologies and strengthen legislative frameworks.
Protect your business from APP fraud
Follow these six tips to prevent damage caused by authorised push payment scams:
- Policies and procedures. Ensure a verification process is in place for requests to change supplier bank account details.
- Dual authorisation. Ensure that two people are required to complete a third-party payment electronically.
- Fraud awareness and training. Ensure staff are given appropriate training on email-related fraud/phishing emails.
- Invoice checking. Review invoices thoroughly and ensure that there are no irregularities.
- Updated operating systems. Ensure that the latest updates for your computer and mobile operating systems are up-to-date and set them to automatically update.
- Think before you post. Avoid sharing too much personal information on social media.
Source: FraudSMART
The government says its goal is a safer financial environment in which Ireland ‘remains a trusted and competitive hub for financial services’. These commitments build on ongoing work within the Oireachtas, in particular the Joint Committee on Finance, Public Expenditure and Reform, which published a report on authorised push payment (APP) fraud in October 2024.
APP is the umbrella term for cyber frauds such as invoice redirection and CEO impersonation, and the 2024 report, which provides the basis of Programme for Government commitments, recognises both the growing level of threat and the fact that no single measure can effectively eliminate it.
The UK is introducing legislation around APP fraud and compensation
It recommends setting up a co-ordinated expert group involving the departments of finance and justice, the Central Bank, An Garda Síochána and industry stakeholders. It also advises close monitoring of developments in the UK, where legislation around APP fraud and compensation for victims is in the process of being introduced.
Recognising that similar legislation is likely to be introduced here, the report stresses ‘an onus and duty of care to mitigate against and protect customers from APP fraud among many sectors including payment services, communication services and online platforms’.
The introduction of a new ‘failure to prevent fraud’ offence in the UK follows a number of conflicting court rulings there regarding the role and responsibility of banks and other financial institutions. According to Paul Convery, partner at William Fry, the legislation ‘will mean that regulated firms of a certain size could be at risk in the event that fraud is committed for their benefit or the benefit of their clients by the firm’s “associated persons” (which may include employees, subsidiaries and other third parties)’.
Irish businesses are more exposed because of government inaction
Similar to other ‘failure-to-prevent’ offences, he says, ‘The only defence for firms will be via demonstrating that they had in place reasonable preventative procedures.’ Compensation under the UK legislation looks set to be capped at £85,000.
Pragmatic actions
While similar legislation may be introduced here, it is likely to take years to come to fruition. In the meantime, there are other government actions that could more readily improve the situation. Susan Russell, CEO of Retail Ireland at the Bank of Ireland, says that ‘prevention really is better than cure when it comes to fraud’, and believes that Irish businesses are currently more exposed than their counterparts in other English-speaking countries, largely because of government inaction on a number of issues.
Among the practical proposals in the Programme for Government, which Russell says should be prioritised, is the development of a shared fraud database connecting financial institutions, utility companies and payment companies, something the government says will require amendments to the Data Protection Act of 2018.
A further step, also requiring legislative change, is the implementation of an SMS ‘scam filter’ that can block harmful links or content. These filters are already in use in other English-speaking countries and some EU member states. The government is also advocating at EU level for proposals to ensure that online platforms can only advertise financial products from companies regulated by their competent national authority, something that it says is currently ‘under discussion as part of the EU review of the Payments Services Regulation’.
With research suggesting APP fraud is projected to cause losses of US$7.6bn globally by 2028, high-level attention on the issue is welcome. However, the distinct lethargy noted by some in the opening months of the current government suggests that we may be waiting a while for practical steps to become legislative reality. That can only be good news for fraudsters.
More information
Read these AB articles for more insights: AI risk in internal audit and Fraud law targets big business
