Traders lose thousands in email invoice fraud

The Carndonagh Traders Association has issued a warning to all businesses in Inishowen to be on the alert for hackers after the association was defrauded of tens of thousands of euro.

Davin Doherty, the organisation’s secretary, said it had fallen victim to an invoice redirection fraud.

An invoice provided by a trusted supplier was intercepted by criminals who substituted bogus bank account details.

Investigations into the fraud are being carried out by An Garda Síochána and AIB.

The Carn Traders Association is going public because it believes this kind of fraud is more common than is understood.

It is less publicised than other forms of fraud carried out by text message or on social media.

Mr Doherty described how Carn Traders had sought to settle an invoice from a company it regularly does business with.

That business didn’t realise it, but its email had been hacked and fraudsters were viewing all the correspondence.

“We looked for the invoice and transferred the money as normal, not knowing the hackers had intercepted it and changed the IBAN [international bank account number],” Mr Doherty said.

It was some days before Mr Doherty realised what had happened. It was only when they sought a receipt of payment from the business owner that the fraud came to light.

“He told us he hadn’t received payment. I screenshotted the payment log and texted it to him, but he was able to point out the bank account details weren’t his.

“And sure all hell broke loose then.”

The Carn Traders Association had a long-standing relationship with the business, knew the owner personally and had regularly made electronic payments to the business.

It’s a cautionary tale that shows how criminals will intercept emails between companies that trust one another to perpetrate fraud.

“The invoice looked perfect,” Davin said.

“The company name was still the same, all the hackers did was change the IBAN.

“It’s a massive, massive blow to the Carn Traders,” he said of the fraud which runs into the ‘tens of thousands of euro’.

Mr Doherty didn’t want to give a specific figure while Garda and bank investigations are ongoing.

“We’re a non-profit group that relies on fundraising events and donations and we’re out a very large sum of money, and the bill for the Halloween event we’d organised still isn’t paid for.”

At a meeting with members of the traders association it was revealed that other companies had been affected by similar fraud.

“Some businesses said they’d been caught with the same thing last year, but were so embarrassed about it they didn’t talk about it,” Mr Doherty said.

“And it’s so common it needs to be talked about, it’s not talked about half enough.”

Thankfully, the traders’ highly successful gift voucher scheme hasn’t been affected.

However, Mr Doherty said the Carn Traders Association has brought in experts to examine its email and computer systems.

“We had IT specialists come in and sweep our emails, website and computer systems, and we’re securing things very tightly.

“Our invoices, from here on in, will be encrypted and businesses will have to telephone us to get the password.

“That’s for the safety of other businesses.

“We could be hacked and have our IBAN changed and the same thing could happen.”

Mr Doherty said the bank has confirmed the money was immediately withdrawn from the bogus account, and he said he’s looking forward to learning how the account was opened in the first place.

“Given how hard it is to open a bank account, I’m going to be interested to hear from the bank how these criminals were able to do that.

About Author

Damian Dowds

Damian studied at NUI Maynooth and worked with Intel Ireland on graduation. Followings stints as a civil servant in Leinster House, and with magazine publisher Ashville Media, he returned to Inishowen to set up the Inishowen Independent in 2007.

See author's posts