Invoice redirection fraud is one of the simplest and most profitable scams aimed at small businesses, and it rarely involves anything that looks like "hacking." A criminal convinces someone in your accounts team to change the bank details on a genuine invoice. The work was done, the supplier is real, the invoice is expected — only the IBAN now belongs to the fraudster. The first sign of trouble usually comes weeks later, when the real supplier asks why they haven't been paid.
This is a form of Business Email Compromise, or BEC, and it is expensive. The FBI's Internet Crime Complaint Center recorded close to $2.8 billion in BEC losses in 2024 alone, and nearly $8.5 billion over the three years to 2024. In Ireland, the Garda National Economic Crime Bureau has repeatedly warned businesses about invoice redirect and CEO-impersonation fraud, and Irish firms have lost millions to it. Because each successful attack often moves a five- or six-figure transfer, even one incident can badly hurt a small business.
What invoice redirection fraud and BEC actually are
BEC is a broad term for scams where a criminal impersonates someone you trust — a supplier, a senior manager, or a service provider — to trigger a payment or a change to payment details. Invoice redirection fraud is the most common version. Two patterns dominate:
- Supplier impersonation. The attacker poses as a real supplier and emails to say their bank details have changed. The next invoice, or an existing unpaid one, is paid into the new account.
- CEO or executive fraud. The attacker poses as a director or finance lead and pressures a staff member into making an "urgent, confidential" transfer, often while the supposed sender is travelling and "unreachable."
Crucially, these scams target people and process, not software. There is usually no malware and no alarm. That is exactly why they slip past spam filters and antivirus — the email looks like normal business correspondence because, to the person reading it, it is.
Why Irish small businesses are targeted
Small and medium businesses are attractive because they combine real money with informal controls. A large enterprise has separated duties, a dedicated payments team, and a formal procedure for changing supplier details. A 12-person company often has one person who raises invoices, pays them, approves changes by email, and knows the suppliers well enough to "just sort it." Criminals exploit that trust and the absence of a second pair of eyes.
Irish firms are also deeply networked into international supply chains, so a foreign IBAN or a mid-deal bank change does not necessarily look suspicious. Add the amount of public company information available — director names on the Companies Registration Office, staff and roles on LinkedIn, supplier relationships visible in press releases — and an attacker can craft a convincing, well-timed message without ever breaking into your systems.
The typical playbook
Most invoice redirection attacks follow a recognisable sequence:
- Reconnaissance. The attacker works out who pays the bills, who your suppliers are, and how your business talks. Sometimes they have already broken into a supplier's mailbox and are quietly reading the real email thread.
- The approach. They send a message that fits the context — a "new bank details" notice on supplier letterhead, or a reply that drops neatly into an existing conversation about a genuine invoice.
- Authority and urgency. The request is time-sensitive ("needed before the bank closes"), confidential ("don't discuss this yet"), and plausible. The urgency is there to stop you pausing to verify.
- The change. New account details are supplied, the payment goes out, and the money is moved on through mule accounts within hours.
- The silence. Nothing seems wrong until the real supplier chases the overdue invoice — by which point getting the money back is very hard.
How to stop it: the controls that matter
The good news is that the defences are cheap, and most are process rather than technology.
Lock down your domain with DMARC. A large share of BEC relies on exact-domain spoofing — forging your real domain in the "From" address so an email genuinely appears to come from [email protected]. DMARC, layered on top of SPF and DKIM, is what stops this. In plain terms: SPF lists the servers allowed to send mail for your domain, DKIM adds a tamper-proof signature, and DMARC ties the two together and tells receiving mail servers what to do when a message fails. Start at p=none to monitor without affecting delivery, fix any of your own legitimate senders that are failing, then move to enforcement with p=quarantine or, ideally, p=reject, which tells receiving servers to bin or quarantine anything that forges your domain. Our step-by-step walkthrough is here: how to add DMARC to your Irish business email.
Know what DMARC does not do — lookalike domains. This is the part most guides skip. DMARC stops criminals from forging your exact domain. It does not stop a lookalike (or "cousin") domain such as yourcompany-ie.com, your-company.ie, or yourcompany.co, because that is a different domain the attacker owns and can authenticate perfectly well. To a busy reader the address looks right at a glance. DMARC is essential, but it is one layer, not the whole answer — which is why the human controls below matter just as much.
Make verification a hard rule, not a judgement call. The single most effective control is a mandatory call-back. Any change to bank details, and any unusual or urgent payment request, must be confirmed by phoning the supplier or colleague on a number you already hold — never a number, link, or "new contact" in the suspect email. Confirming the change by replying to the email is worthless: if the mailbox has been taken over, you are simply asking the fraudster to confirm their own request.
Train your people to spot the tells. Staff who handle money should be taught to slow down on three triggers: a change of bank details, unusual urgency, and a request for secrecy. They need explicit permission to pause and verify a "CEO" request without fear of looking obstructive — and they should know to check the sender's address character by character.
Add a second pair of eyes. Require two people to authorise new payees and any change above a set amount. One person should not be able to change an IBAN and release the payment on their own.
What to do if it has already happened
Speed is everything. Contact your bank immediately and ask them to attempt a recall of the funds — same-day action gives the best chance of recovery. Report it to An Garda Síochána (your local station or the Garda National Economic Crime Bureau) and keep the emails as evidence. Then tell the real supplier, so they can check whether their own mailbox has been compromised and warn their other customers.
Your next step: check whether your domain can be spoofed
Before the next invoice goes out, find out whether a criminal could forge your domain today. Run your domain through the free Digital Trust Checker. It grades your SPF, DKIM, and DMARC setup in plain English and tells you whether exact-domain spoofing is currently possible — and what to fix first. It takes under a minute, costs nothing, and closes the most common door BEC criminals use. Pair it with a firm call-back rule for bank-detail changes, and you will have shut down the great majority of invoice redirection fraud.