SME fraud – The Smart Play Against Scams

Over €17 million lost by SMEs through email-related scams in the last two years, as FraudSMART launches new awareness campaign

FraudSMART has partnered with the Irish SME Association (ISME) to launch a new SME fraud awareness campaign, spearheaded by business owner and former Irish rugby international Tommy Bowe to urge SMEs to be on the alert and put measures in place to protect their business. As part of the campaign, FraudSMART is spotlighting the latest scams being targeted at businesses and offering practical fraud prevention tips through events, media appearances and a series of short videos being released on social media in the coming weeks.

How are SMEs targeted by fraudsters?

Most businesses would like to think that they are protected against fraud but SMEs can be particularly vulnerable compared to larger companies due to more limited resources, less investment in security infrastructure as well as lower financial buffers to withstand any losses. Fraudsters take advantage of busy work schedules and create a sense of urgency in the hope that an employee will react without thinking and won’t take the time to do necessary checks.

“According to a recent survey we conducted with ISME, more than two-thirds (68%) of SMEs have been targeted with scams within the past twelve months and 89% of these businesses report being targeted through email. However, while the vast majority of businesses have some security measures in place, such as verification processes for new bank account details (94%), almost a third (31%) of businesses do not have specific fraud awareness guidelines and training programmes for employees.”

Niamh Davenport, Head of Financial Crime, FraudSMART

Fraud Prevention Guide for Businesses

FraudSMART has a free fraud prevention guide for businesses outlining the common types of financial fraud affecting Irish SMEs and providing advice on how to avoid them. Download here.

Irish small and medium enterprises (SMEs) lost over €17 million (€17.4m) in the last two years through email-related scams, according to recent figures shared by FraudSMART members and invoice redirection and CEO impersonation scams remain the top threats to businesses with average losses of €11,500.

According to a survey FraudSMART conducted with ISME in March 2025, more than two-thirds (68%) of SMEs have been targeted with scams within the past twelve months and 89% of these businesses report being targeted through email.

The two most common types of fraud targeted at businesses are:

Invoice re-direction fraud

These often start with what appears to be a legitimate email from a supplier known to the business advising of new bank details for payment, but which has been hacked or closely copied by fraudsters. This can create a false sense of security and make it difficult for businesses to detect. They usually don’t request any payment upfront but ask for the bank account details on file to be changed for future invoice payments and provide a new IBAN and BIC code for the ‘new account’. When a legitimate invoice is issued by the supplier the business ends up paying it into the ‘new account’ controlled by the fraudster and it’s often only some time later when a payment reminder is sent by the supplier that the scam is detected.

CEO impersonation fraud

CEO impersonation fraud is where a fraudster impersonates a company’s senior executive in order to convince an employee to disclose sensitive information or make an unauthorised financial transaction.

“These findings emphasise just how exposed SMEs are to financial fraud. This is not a marginal issue – it’s a major business risk. Employees in particular are often the ones targeted by fraudsters and therefore have a key role to play at the frontline of fraud prevention. I urge all SMEs to put training in place to ensure their workforce, at every level of the business, are constantly aware of current fraud risks and how to avoid falling victim to scammers.”

Neil McDonnell, CEO of ISME

FraudSMART tips to protect your business

Policies and procedures: Ensure a verification process is in place for requests to change supplier bank account details.
Dual authorisation: Ensure that two people from the business are required to complete a third-party payment electronically.
Fraud awareness and training: Ensure staff are given appropriate training on cyber security.
Invoice checking: Review invoices thoroughly and ensure there are no irregularities.
Updated operating systems: Ensure that the latest updates for your computer and mobile operating systems are up-to-date.
Think before you post: Avoid sharing too much personal information on social media.

What to Do If You’ve Been Targeted:

If you think you have fallen victim to a scam, contact your bank immediately using the number on the back of your card, or the contact details provided on your bank website and contact An Garda Síochána. Reporting suspicious activity helps prevent further fraud and protects others from falling victim.

For more information and practical advice on how to protect yourself from different types of scams,
visit our Fraud & Scams page.

Sign up for the latest Fraud Alerts

Email alerts will be issued in real time as new financial scams emerge so that you know what to look out for and how to protect yourself. Your email address will be used only for these alerts and no other purposes, in line with GDPR.

Privacy Overview

This website uses cookies to improve your experience while you navigate through the website. Out of these cookies, the cookies that are categorized as necessary are stored on your browser as they are essential for the working of basic functionalities of the website. We also use third-party cookies that help us analyze and understand how you use this website. These cookies will be stored in your browser only with your consent. You also have the option to opt-out of these cookies. But opting out of some of these cookies may have an effect on your browsing experience.

Cookie	Duration	Description
_ga	2 years	The _ga cookie, installed by Google Analytics, calculates visitor, session and campaign data and also keeps track of site usage for the site's analytics report. The cookie stores information anonymously and assigns a randomly generated number to recognize unique visitors.
_ga_LF3SPG5Y8P	2 years	This cookie is installed by Google Analytics.
_gat_gtag_UA_239897473_1	1 minute	Set by Google to distinguish users.
_gat_UA-105312071-1	1 minute	A variation of the _gat cookie set by Google Analytics and Google Tag Manager to allow website owners to track visitor behaviour and measure site performance. The pattern element in the name contains the unique identity number of the account or website it relates to.
_gcl_au	3 months	Provided by Google Tag Manager to experiment advertisement efficiency of websites using their services.
_gid	1 day	Installed by Google Analytics, _gid cookie stores information on how visitors use a website, while also creating an analytics report of the website's performance. Some of the data that are collected include the number of visitors, their source, and the pages they visit anonymously.
CONSENT	2 years	YouTube sets this cookie via embedded youtube-videos and registers anonymous statistical data.
cookielawinfo-checkbox-advertisement	5 months 27 days	Set by the GDPR Cookie Consent plugin, this cookie is used to record the user consent for the cookies in the "Advertisement" category .
cookielawinfo-checkbox-analytics	5 months 27 days	Set by the GDPR Cookie Consent plugin, this cookie is used to record the user consent for the cookies in the "Analytics" category .
cookielawinfo-checkbox-functional	5 months 27 days	The cookie is set by the GDPR Cookie Consent plugin to record the user consent for the cookies in the category "Functional".
cookielawinfo-checkbox-necessary	5 months 27 days	Set by the GDPR Cookie Consent plugin, this cookie is used to record the user consent for the cookies in the "Necessary" category .
test_cookie	15 minutes	The test_cookie is set by doubleclick.net and is used to determine if the user's browser supports cookies.
viewed_cookie_policy	1 year	The cookie is set by the GDPR Cookie Consent plugin to store whether or not the user has consented to the use of cookies. It does not store any personal data.
VISITOR_INFO1_LIVE	5 months 27 days	A cookie set by YouTube to measure bandwidth that determines whether the user gets the new or old player interface.
YSC	session	YSC cookie is set by Youtube and is used to track the views of embedded videos on Youtube pages.
yt-remote-connected-devices	never	YouTube sets this cookie to store the video preferences of the user using embedded YouTube video.
yt-remote-device-id	never	YouTube sets this cookie to store the video preferences of the user using embedded YouTube video.
yt.innertube::nextId	never	This cookie, set by YouTube, registers a unique ID to store data on what videos from YouTube the user has seen.
yt.innertube::requests	never	This cookie, set by YouTube, registers a unique ID to store data on what videos from YouTube the user has seen.

Necessary

Always Enabled

Necessary cookies are absolutely essential for the website to function properly. These cookies ensure basic functionalities and security features of the website, anonymously.

Cookie	Duration	Description
cookielawinfo-checkbox-advertisement	5 months 27 days	Set by the GDPR Cookie Consent plugin, this cookie is used to record the user consent for the cookies in the "Advertisement" category .
cookielawinfo-checkbox-analytics	5 months 27 days	Set by the GDPR Cookie Consent plugin, this cookie is used to record the user consent for the cookies in the "Analytics" category .
cookielawinfo-checkbox-functional	5 months 27 days	The cookie is set by the GDPR Cookie Consent plugin to record the user consent for the cookies in the category "Functional".
cookielawinfo-checkbox-necessary	5 months 27 days	Set by the GDPR Cookie Consent plugin, this cookie is used to record the user consent for the cookies in the "Necessary" category .
viewed_cookie_policy	1 year	The cookie is set by the GDPR Cookie Consent plugin to store whether or not the user has consented to the use of cookies. It does not store any personal data.

Functional

Advertisement cookies are used to provide visitors with relevant ads and marketing campaigns. These cookies track visitors across websites and collect information to provide customized ads. Third-party advertising and social media cookies are used to (1) deliver advertisements more relevant to you and your interests; (2) limit the number of times you see an advertisement; (3) help measure the effectiveness of the advertising campaign; and (4) understand people’s behaviour after they view an advertisement. They are usually placed on behalf of advertising networks with the site operator’s permission. They remember that you have visited a site and quite often they will be linked to site functionality provided by the other organization. This may impact the content and messages you see on other websites you visit. If you do not allow these cookies you may not be able to use or see these sharing tools or play certain videos on our site.

Cookie	Duration	Description
test_cookie	15 minutes	The test_cookie is set by doubleclick.net and is used to determine if the user's browser supports cookies.
VISITOR_INFO1_LIVE	5 months 27 days	A cookie set by YouTube to measure bandwidth that determines whether the user gets the new or old player interface.
YSC	session	YSC cookie is set by Youtube and is used to track the views of embedded videos on Youtube pages.
yt-remote-connected-devices	never	YouTube sets this cookie to store the video preferences of the user using embedded YouTube video.
yt-remote-device-id	never	YouTube sets this cookie to store the video preferences of the user using embedded YouTube video.
yt.innertube::nextId	never	This cookie, set by YouTube, registers a unique ID to store data on what videos from YouTube the user has seen.
yt.innertube::requests	never	This cookie, set by YouTube, registers a unique ID to store data on what videos from YouTube the user has seen.

Analytics

Analytical cookies are used to understand how visitors interact with the website. These cookies help provide information on metrics the number of visitors, bounce rate, traffic source, etc.

Cookie	Duration	Description
_ga	2 years	The _ga cookie, installed by Google Analytics, calculates visitor, session and campaign data and also keeps track of site usage for the site's analytics report. The cookie stores information anonymously and assigns a randomly generated number to recognize unique visitors.
_ga_LF3SPG5Y8P	2 years	This cookie is installed by Google Analytics.
_gat_gtag_UA_239897473_1	1 minute	Set by Google to distinguish users.
_gat_UA-105312071-1	1 minute	A variation of the _gat cookie set by Google Analytics and Google Tag Manager to allow website owners to track visitor behaviour and measure site performance. The pattern element in the name contains the unique identity number of the account or website it relates to.
_gcl_au	3 months	Provided by Google Tag Manager to experiment advertisement efficiency of websites using their services.
_gid	1 day	Installed by Google Analytics, _gid cookie stores information on how visitors use a website, while also creating an analytics report of the website's performance. Some of the data that are collected include the number of visitors, their source, and the pages they visit anonymously.
CONSENT	2 years	YouTube sets this cookie via embedded youtube-videos and registers anonymous statistical data.