Gone in an instant: How invoice redirection fraud threatens your business

Payment redirection fraud is emerging as a growing threat to businesses, with criminals exploiting vulnerabilities to divert funds into unauthorised accounts. In this Insight, we examine how such fraud typically occurs, the methods used to gain access to payment systems, and the implications for businesses. We also look at how the EU’s new Instant Payment Regulation 2024 (EU 2024/886) (the “Regulation”), introduced in April 2024, aims to strengthen protections—and raise questions about where responsibility lies when things go wrong.

The rising threat of payment redirection fraud

In January 2025 the Central Bank of Ireland reported a 26% increase in fraudulent payments in 2023, totalling €126 million. FraudSMART Ireland also revealed that nearly €9.4 million was laundered through money mule accounts in the year to June 2025. 

Payment redirection fraud—also known as invoice fraud—occurs when criminals deceive individuals or businesses into transferring money to fraudulent accounts. These scams often target businesses and can result in significant financial losses. 

These types of attacks have evolved in terms of sophistication and intensity in recent years.  While criminals use a number of mechanisms to perpetrate their frauds, the methods we observe the most are connected with social engineering attacks and the compromise of business email environments, otherwise referred to as a Business Email Compromise (“BEC”).

Social engineering: Criminals often impersonate trusted figures—such as legitimate suppliers, finance team members, or senior executives—to request changes to bank account details or to authorise urgent payments of an invoice. These requests are typically framed as time-sensitive or confidential, pressuring the recipient to act quickly without verifying the request. These types of frauds are most effective when criminals have accessed a legitimate email account of an organisation. Often criminals use typosquatting techniques however, which involves the use of an email account that closely resembles the legitimate individual or organisation being targeted. An example of this is where the criminal establishes a domain using “vendor.com” instead of “vendor.ie” or [accounts@vendors.com] instead of [accounts@vendor.com]. 

Business Email Compromise (BEC): Business Email Compromise is a form of cyberattack where criminals gain unauthorised access to a business’s email system. While this can be the result of underlying system vulnerabilities they are predominantly associated with phishing or social engineering tactics and weak or absent multi-factor authentication processes. They can also be caused by human error and the inadvertent authentication of fraudulent access attempts or a lack of appropriate awareness and training. 

A recent trend we have observed is the targeting of new staff within a matter of days of starting a new role. Criminals, impersonating senior executives, target the recruits to process payments or share sensitive financial information like a bad debt report in the hope that the individual has not fully completed the organisation’s onboarding or training requirements.

If a hacker accesses a user’s email account they have the ability to read, delete and respond to any emails received by the legitimate user. They can also and regularly do implement rules to automatically redirect emails arriving from specific individuals to conceal the criminal’s activities. 

Other than observing for triggers like, requests for a change to bank payment details, requests for the urgent payment of an invoice or a change in writing style, there is no easy way for a recipient to identify that the email has not been prepared and sent by the legitimate individual or organisation. This is why having a robust payment process which is supported by adequate training, implemented without exception and regularly updated to reflect recent trends is crucial for organisations to protect themselves against fraud.  

Which payments are most at risk?

In our experience, where a hacker has successfully committed a BEC, they will first target payments due to that organisation by communicating with customers and requesting a change to the organisation’s bank account details. 

At the same time, they will look for any payments due to be made by the organisation to a third party. By using typosquatting and a man in the middle style attack, they will target the user by injecting themselves into the middle of an email chain and furnish an updated invoice or payment details. In this instance they may also accept a call to verify the changed bank account details which it why it is important to only use a known number to verify the change by phoning the supplier and not one that is on the footer of the email thread – requesting the changes. 

Unfortunately, often the customer/supplier won’t realise that they have been the victim of a crime until receiving the reminder for payment of the legitimate invoice – weeks later. 

How the EU Instant Payment Regulation 2024 helps

Under the Regulation, banks and organisations that provide payment services, otherwise referred to as a payment service provider (PSP) are required to offer, free of charge, a verification of payee services (VOP). This will allow organisations to verify, amongst others, that the name and IBAN match those given by the payer. When a payer uses the verification of payee service, before authorising a payment, they will be informed if the payee information provided has ‘matched’, is a ‘close match’ or has not matched. 

The Regulation requires that all PSP’s have this system in place by 9 October 2025, but it does facilitate non-consumers opting out of the scheme.

A similar system has been in operation in the United Kingdom since 2020 and while not identical, according to a report from the Euro Payments Council it has been successful in reducing the volume of related fraud cases by 60%. This is positive news but an important reminder that maintaining a robust payment process cannot and should not be overlooked.

Who is liable when fraud occurs?

Liability for payment redirection fraud remains a grey area. While the payer typically bears the loss, the position has not yet been examined by the Irish courts so we must look to other jurisdictions to see how they have treated similar cases:

• UK: J Brazil Road Contractors v Belectric Solar Ltd

In the UK there have been a number of recent decisions in this area. In J Brazil Road Contractors and Belectric Solar Ltd [1], J Brazil Road Contractors (“the Contractor”) provided services to Belectric Solar Ltd (“Customer”). The Contractors email had been compromised, and the hacker furnished an invoice for payment to the Customer which contained fraudulent account details.  The Customer paid the amount due, to the fraudulent bank account, and the funds were lost. The Cout held that while both parties were victims of a scam, the Customer remained liable to pay the invoice again. 

• UK: Sell Your Car With Us Ltd v Anil Sareen

Similarly, in the UK case of Sell Your Car with US Limited and Anil Sareen [2] it was held that “the company was alone responsible for sending money to an unauthorised account on instructions received from an unknown third party.”

• Australia: Factory Direct Fencing Pty Ltd v Kong AH International

By contrast, in the Australian decision of Factory Direct Fencing Pty Ltd and  Kong AH International Company Limited [3], the Courts examined whether the Defendant (supplier) owed a duty of care to the buyer of materials (plaintiff) where a fraudulent email was sent impersonating the supplier of the materials and providing bank account details which were different to an account into which the buyer had previously paid for the materials supplied. The Court considered, that if such a duty of care were to exist that it would be a novel one. It was held that although the economic loss to the buyer was foreseeable given the high rates of cybercrime, the buyer was almost entirely able to mitigate the loss by telephoning to confirm the correct bank information with the seller of materials prior to making payment. 

The Court further pointed out that if a duty was to be imposed on the seller of materials to confirm every email they sent to ensure that only correct information was sent, it would present too broad a duty on the seller of the materials. 

• Canada: St. Lawrence Testing v Lanark Leeds Distribution 

In the 2019 Canadian case of St. Lawrence Testing and Inspection Co. Ltd and Lanark Leeds Distribution Ltd [4], the Plaintiff, through their legal representative, McDonald Duncan LLP (“Law Firm”), sued for an unpaid balance for environmental assessment services. An agreement was reached, and by the terms of that agreement the defendant was to pay $7000 into the trust account of the Law Firm. However, a fraudster hacked the email account of an employee of the Law Firm and sent alternative payment information to the Defendant, and the money in question was paid to the hacker. The Judge in this case set down a helpful test to determine whether the victim of fraud is liable for the loss:  

 “Where a computer fraudster assumes control of Victim A’s email account and, impersonating Victim A, issues instructions to Victim B, who then transfers funds intended for Victim A (or a third party) to the fraudster’s account, is Victim A liable for the loss?

In my view, the answer is “no”, unless:

1. Victim A and Victim B are parties to a contract which (i) authorises Victim B to rely on email instructions from Victim A and, (ii) assuming compliance with the terms of the contract, shifts liability for a loss resulting from fraudulent payment instructions to Victim A;
2. There is evidence of wilful misconduct or dishonesty by Victim A; or
3. There is negligence on the part of Victim A.”

In this matter the Court noted that no evidence had been produced to suggest that the Law Firm, whose email account had been breached, failed to meet the standard reasonably expected of a law firm. It looked at the actions of the Law Firm following it becoming aware of the breach and was satisfied that they acted promptly and appropriately in an effort to recover the funds. Finally, the Court did not accept an argument made by the Defendants (Victim B) that the Law Firm could have easily monitored their email and prevented the hacking. 

In reaching its determination, the Court found that the hacking of the Law Firms email account was not the result of negligence on their part, that there was no evidence of misconduct or dishonestly and there was no evidence of negligence with respect of their email security. The Defendant was therefore required to pay the amount under the settlement agreement again.

To date it seems that other common law jurisdictions, where a victim of fraud has paid monies to a fraudster, it is likely they will remain liable to pay these monies to the legitimate party again. It remains to be seen whether the Irish Courts will follow the approach in those other common law jurisdictions, but it is our predication that a rule similar to the Canadian case will be adopted. 

Until this is considered by an Irish Court, a prudent action for organisations is to ensure that:

• in its contract or engagement terms, organisations and suppliers provide for payment processes, that you are entitled to rely on email communications and that in the event of a fraud, clearly outlines where liability will rest.
• their systems and processes are up to date and that the security measures implemented reflect current best practice.

• you act quickly to avoid an allegation of misconduct or negligence.

   

[1] J Brazil Road Contractors v Belectric Solar Ltd 2018 (Case number - WL 01993147) 

[2] Sell Your Car with US Limited (Applicant) and Anil Sareen (Respondent) [2019] EWHC 2332 (Ch) 

[3] Factory Direct Fencing Pty Ltd and  Kong AH International Company Limited [2013] QDC 239

[4] St. Lawrence Testing and Inspection Co. Ltd v Lanark Leeds Distribution Ltd 2019 CanLii 69697