Businesses risk being sued if scammers hijack their tech for fraud

Detective Chief Superintendent Pat Lordan of the Garda National Economic Crime Bureau. Photo: Mark Condren

Caoimhe Gordon

Irish companies have been warned that they could face potential legal actions if their systems are compromised by scammers and then used to con suppliers or customers.

“They got into your system, they got your details,” said detective chief superintendent Pat Lordan, who is head of the Garda National Economic Crime Bureau.

“Without that detail, they would not succeed in scamming [other companies] – the weakness in security really was on your side.”

“It's not something we get involved in as a rule but I’ve seen legal terms become involved and in some cases, I have seen where [the business] is liable,” he added.

This issue could occur if a cyberattack on a company results in loss of access to systems, such as emails.

Scammers, who now have sole control of these systems, could then contact existing suppliers or customers to send invoices, request payments or update existing bank account details for upcoming transfers.

It is more likely that this type of scam would prove to be effective, with those committing the fraud using official contact details of the business that companies are familiar with and would then assume to be legitimate.

“I think you’d lose in the Civil Court,” Mr Lordan told a Banking and Payments Federation Ireland (BPFI) briefing.

“I’ve seen other cases where [an impacted business] has gone 50:50 with a transport company for €30,000 and they settled it that way.”

“I don’t think you are out of jail just because you didn’t lose any money,” he said.

“It would be maybe a different situation if it was a faked email,” BPFI head of financial crime Niamh Davenport added.

“But if it is coming from your own systems that are hacked, they are the nuances that people look at.”

She said that businesses can invest in cyber insurance to assist with any difficulties that could emerge.

The BPFI also warned Irish businesses that further challenges are emerging due to the phased exit of both Ulster Bank and KBC from the Irish market, with fraudsters taking advantage of the ongoing switching activity.

The organisation said that scammers are sending emails to a company’s customers and suppliers from fake email addresses to alert them of a change in bank details due to a necessary account switch.

“[One business] said we’ve changed everything and notified other suppliers,” Mr Lordan said. “He said every single one of their suppliers picked up the phone and rang them to make sure it was legitimate.”

The BPFI recommends that businesses with any doubt should immediately contact the company who communicated the change in bank information and to use official and existing contacts details to do so rather than respond directly to the email.

New figures from FraudSMART, the fraud awareness initiative led by the BPFI, also revealed that businesses were conned out of €8m in the past year due to both invoice fraud and CEO impersonation fraud.