Business Email Compromise: The €2M Threat Irish SMEs Aren't Ready For

The Email That Cost €180,000

A Dublin manufacturing firm received what looked like a routine request from their MD—approval for an urgent wire transfer to a “new supplier.” The finance team processed it within hours. It was fraud. The attacker had spent weeks studying the company’s communication patterns, vendor relationships, and staff structure. By the time anyone noticed, the money was gone.

This is Business Email Compromise (BEC), and it’s the fastest-growing financial crime affecting Irish SMEs right now.

Why Irish Companies Are Vulnerable

BEC works because it exploits trust, not technology. Attackers don’t need to crack passwords or deploy malware. They simply impersonate someone with authority—usually the MD, finance director, or a trusted supplier—and request payment, sensitive data, or urgent action.

What makes Irish firms particularly exposed:

Personal relationships matter. Irish business culture is relationship-driven. We’re more likely to skip verification steps for someone “we know.”
Email is still sacred. Most SMEs rely heavily on email for financial approvals, often without secondary verification.
Staff turnover creates gaps. When someone leaves, attackers use the window before systems are fully updated.
Cybersecurity budgets are tight. Many businesses still run basic email security with no advanced threat detection.

Research suggests Irish companies lose millions annually to BEC, with individual incidents ranging from €10,000 to over €500,000.

How the Attack Actually Unfolds

The playbook is consistent:

Reconnaissance. Attackers study your LinkedIn profiles, website, and email signatures to understand hierarchy and relationships.
Domain spoofing or account compromise. They either create a near-identical email domain (cqstle.ie vs castle.ie) or compromise a real account through phishing.
The request. An urgent email arrives from the “MD” asking for a wire transfer, invoice payment adjustment, or confidential employee data.
Pressure and secrecy. The message stresses urgency and discretion: “Don’t mention this to anyone—it’s confidential.”
Money moves. By the time verification happens, funds are transferred abroad or cryptocurrency is purchased.

What You Can Do Right Now

You don’t need expensive software to reduce your risk significantly:

Verify everything. If you receive an urgent payment request from leadership, call them directly on a known number. Don’t use contact details from the email.

Create a payment approval process. No single person should approve large transfers. Require two-factor sign-off for payments over a certain threshold (€5,000, €10,000—your choice).

Train your team monthly. Five-minute awareness sessions work. Show staff real examples of BEC emails. Make spotting spoofed addresses a skill, not a burden.

Use email authentication. Ask your IT provider about SPF, DKIM, and DMARC records. These stop attackers from easily spoofing your domain.

Flag unusual requests. Brief your finance team to pause on unusual payment patterns: new vendors, changed bank details, requests outside normal hours, or pressure to keep things quiet.

Report suspected fraud. If you’re hit or nearly hit, contact An Garda Síochána’s Economic Crime Bureau and notify your bank immediately. The DPC also tracks cybercrime trends affecting Irish businesses.

The Hard Truth

No single tool stops BEC completely. But combining a solid approval process, basic email security, and aware staff creates enough friction that attackers move to easier targets.

If you’re unsure whether your current email setup includes modern threat detection or want to review your payment approval workflows, it’s worth a conversation with your IT provider this month. This threat isn’t slowing down.