What to do if your business receives a suspicious payment or invoice email.
Calm checklist for the first hour, then the first 24 hours. Written for the person who actually clicks "Pay" on supplier invoices — not the security consultant. Verify on a known number, don't reply to the email, phone the bank's fraud team, file the report. In that order.
Don't reply to the email. Verify the request by phoning the person on a number you already have on file — not the one in the email. If money has moved, phone your bank's fraud team within 24 hours and get a written reference number. File a report with the Gardaí. Notify your cyber-insurer even if the loss is zero — most policies require it. Preserve the original email; don't delete it.
What to do right now.
If you're reading this with a suspicious email open in another tab, start here. Four steps, in order. The goal is to stop the bleeding without contaminating the evidence.
- 1
Do not reply to the email. Do not forward it onward.
Replying confirms your address is live and being read. Forwarding it casually inside the business spreads the social-engineering surface — someone else may click before you finish the next step. - 2
Verify on a known channel — not the one in the email.
Phone the supplier, director or customer on a number you already have on file (not the signature block). Same for bank details. If the request was "urgent", that urgency is the attacker's lever — slow down. - 3
Preserve the original email. Don't delete it.
If your team has already deleted it, recover from Deleted Items. Your bank, the Gardaí and your insurer will all want the raw message (headers included) to investigate properly. - 4
Stop the payment if money has moved.
Contact your bank's fraud team by phone immediately — not by secure-message in the app. Irish business-banking fraud lines are 24/7. The first 24 hours matter most for recall.
Who to phone, in what order.
Each of these has a clock against it. Your insurer's notification window in particular is short — typically 48 to 72 hours — and missing it can void cover on the next incident as well.
- 1
Phone your bank's fraud team within 24 hours.
If a payment has gone out, ask the bank to attempt recall and to flag the receiving account. Get a written reference number on the call. Most Irish business banks publish a dedicated fraud number on the back of the card or in their online business portal. - 2
Report to An Garda Síochána.
Phone your local Garda station and file a formal report. Take note of the reference (Pulse ID). Your insurer will ask for it. Serious cases are routed to the Garda National Cyber Crime Bureau (GNCCB). - 3
Notify the NCSC.
Ireland's National Cyber Security Centre accepts incident reports at ncsc.gov.ie. They don't recover funds — but they aggregate patterns and can advise on next steps. For BEC specifically, also consider notifying Microsoft (if the impersonating mailbox was hosted on M365) and the relevant hosting provider's abuse address. - 4
Tell your insurer — even if no money was lost.
Cyber-insurance policies almost always require notification of an "incident" inside a specific window (commonly 48–72 hours), even if the loss is zero. Skipping this notification can void cover on the next incident. Phone, then follow up in writing. - 5
Brief the staff involved.
Tell the person who received the email that they did the right thing reporting it. Punishing or shaming them guarantees the next one gets through silently. Briefly remind the wider accounts team what to look out for — change-of-bank-detail emails, urgency framing, look-alike domains.
What this usually looks like in practice.
BEC fraud rarely looks like a Hollywood phishing email. It looks like a real supplier sending a real-looking invoice. The five patterns below cover well over 80% of the cases we see — share this with your accounts team, your bookkeeper and anyone with payment-approval authority.
- 01A supplier's email asking you to update their bank details ahead of the next invoice.
- 02A director's email — often when they're known to be travelling — asking the accounts team to push through a fast payment.
- 03An invoice from a real supplier, real amount, real format — but the IBAN has been silently changed in the PDF.
- 04A solicitor or estate-agent email asking the buyer to send a deposit to a "new client account".
- 05A "login security alert" prompting an MFA approval at an unusual time.
Five things that should slow you down.
None of these alone is conclusive. Two or more together is almost always worth a phone call before any money moves.
- The sending domain is one character off from the real one (e.g. r-n instead of m, .co instead of .com).
- The display name matches a director or supplier — but the underlying email address doesn't.
- The signature block is right, but the reply-to address differs from the sender address.
- The email arrived just before a weekend, public holiday or the end of the working day.
- Pressure to act before a specific deadline, with discouragement from "checking with anyone first".
Keep these somewhere you can find at 4pm on a Friday.
If you'd like help making sure the next one doesn't get through, here's what we do.
We're a senior cybersecurity and IT firm based in Cashel, Co. Tipperary. We work mostly with hospitality operators, food producers, equine and stud-farm businesses, and professional practices across the midlands and mid-west of Ireland. Our free initial review looks at exactly the kind of exposure that lets BEC emails land — email authentication, DNS, TLS and the public posture of your domain. No system access, no disruption.
This guide is general information for Irish SMEs and is not legal, regulatory or financial advice. If you're mid-incident, prioritise your bank's fraud line and your local Garda station ahead of reading any further.