Surge in invoice fraud hits SMEs and sole traders
Fraudsters are scraping data from open source websites
Published 10/04/2016 | 02:30
Gardai are dealing with a marked increase in invoice redirection frauds perpetrated by criminals scraping data from open source websites such as the Companies Registration Office, professional registers that publicly record the details of accountants and auditors as well as material gleaned from social media platforms including LinkedIn, Twitter and Facebook.
Under the invoice redirect schemes, businesses and small suppliers - including sole traders - fall prey to requests, purporting to emanate from trusted suppliers or service providers, into believing that a beneficiary's bank account details have been changed.
As a result, funds that are due to be paid out are transferred to a fraudulent account.
In one recent case, gardai stopped the fraudulent transfer of more than €2m to a UK bank account.
The Sunday Independent has learned that a number of invoice redirect fraud complaints have been registered with the gardai after companies were duped into paying fraudulent invoices after criminals matched their auditors' details from information openly available on the website of the CRO.
After receiving invoices from their auditors notifying finance departments of new account details, companies have transferred funds to fraudulent accounts.
The CRO said it had no comment to make on the garda investigation into a series of false auditor complaints.
"However, it should be noted that information held by the CRO in relation to companies, business names, etc is information that is publicly available from the CRO on payment of a prescribed fee, said a spokesperson. The Garda Bureau of Fraud Investigation, which has also received increased reports of payment frauds, including so-called "CEO fraud" where staff receive emails to conduct highly confidential financial transactions from a 'bogus boss'.
The bureau has issued a public alert specifically warning of invoice redirect frauds and a pattern of criminal activity that has the potential to cause serious financial losses to public and private businesses.
"This type of fraud continues to be prevalent and a number of Irish organisations and businesses have been targeted in the recent past," said the bureau.
"This advice is targeted at all entities that are involved in paying invoices or requested to transfer funds to any new bank account, be it within Ireland or elsewhere.
"It is important to note that the attempt to defraud ranges from very small amounts of money to some cases where multimillions of euro are involved".
Directors of small and medium-sized companies are also bracing themselves for new reporting requirements that mean they have to disclose their earnings in their company accounts, a move that has raised concerns about personal security as CRO documents contain other "tombstone data" including name, address and date of birth.
The new provision has led to an increase in inquiries by larger SMEs to consider new filing structures, including making their companies unlimited or a subsidiary of an offshore parent to prevent disclosure of sensitive earnings data.
Sunday Indo Business