Online fraudsters focusing on small Irish businesses

CEO scam involves email requests with bogus payment instructions from inside the firm

Gangs involved in this type of theft often gather information on a chief executive or chief financial officer using material posted on Twitter and other public media.
Gangs involved in this type of theft often gather information on a chief executive or chief financial officer using material posted on Twitter and other public media.

Small and medium-sized businesses, and second-tier law firms are among the Irish sectors being targeted by cyber criminals such as the ones who attempted to steal €4.3 million from Meath County Council, an expert in the area has said.

It has been reported that the almost successful scamming operation involved so called "CEO fraud", a type of scam that is "sophisticated, targeted and prevalent", according to the head of PricewaterhouseCoopers's cybersecurity section, Pat Moran.

He said the pattern was that the criminal gangs focused on particular sectors, and then moved on. The fact that an attack had been launched on Meath Council Council could mean that a gang is now targeting Irish local authorities. The gangs are mostly in Eastern Europe, Russia, Korea and China.

The council said it had detected the instance of identity theft before the transaction it prompted had been completed and the matter was reported to the Garda.

READ MORE

The funds are now understood to be frozen in a bank account in Hong Kong and steps are being taken to have it returned.

Mr Moran said the gangs involved in this type of theft often gather information on a chief executive or chief financial officer using material posted on Twitter and other public media, then pose as those people when sending fake emails containing payment instructions to the payments department of their organisations.

The emails might, for example, mention that the executive was away at a conference, which would in fact be the case because the individual had tweeted about it. The criminals often seek to mimic the writing style of the individual concerned, using publicly available material to learn how to do so.

Bogus payment instructions

Last year Banking and Payments Federation Ireland issued a warning that these types of attacks were occurring, sometimes using fake emails that closely resembled the executive’s real email, and at other times hacking into the executive’s real email account to send the bogus payment instructions.

It suggested that organisations have documented internal processes for the authorisation of all payments and that verbal contact be made where suspicions exist or any requests are received outside of the agreed procedures.

Mr Moran said that practice “phishing” exercises carried out by PwC for client companies regularly found that up to 30 per cent of staff failed the test.

“People need to be vigilant. There can’t be enough education about these threats,” he said.

Meath East Fianna Fáil TD Thomas Byrne said he would be seeking assurances that cyber security procedures within Meath County Council were at their highest possible level.

He also called on other local authorities across the State to examine their own internal cyber security procedures to ensure they do not fall victim to a similar attack.

“I will also be looking for assurances that vital public services are not at risk, either temporarily or permanently, as a result of this attempted theft,” he said.

He described the attempted theft as “a disgraceful act” and said he hoped the perpetrators are identified and brought before the courts to account for their actions.

Colm Keena

Colm Keena

Colm Keena is an Irish Times journalist. He was previously legal-affairs correspondent and public-affairs correspondent