Dublin Zoo has admitted it has been hit by a scam in which cyber criminals were reportedly able to steal up to €500,000. The zoo has stated that they are cooperating with the Garda National Economic Crime Bureau in a case of invoice redirect fraud. While neither the Gardaí nor Dublin Zoo revealed the amount of money taken, sources have reported that it was up to €500,000, most of which was successfully recovered.
Reports indicate that Dublin Zoo may have lost up to €500,000 through the scam, with an estimated €130,000 remaining at large overseas.
“The matter was initially reported by Dublin Zoo to the Gardaí at Cabra Garda Station who immediately contacted the Garda National Economic Crime Bureau at Harcourt Square,” Gardaí said yesterday. “Gardaí can confirm that investigations are continuing into this fraud at Dublin Zoo and can also confirm that, with the assistance of financial institutions, a substantial amount of money has been recovered in this case”.
Invoice Redirect Fraud, also known as CEO or CFO Fraud, is a scam where cyber criminals either hack or spoof the email account of something with financial business in the company. In this case, a building contractor hired by the zoo had their email account hacked by the perpetrators. Posing as this contractor, an invoice was sent to Dublin Zoo with details of upcoming payments to be made and a new bank account to pay them into.
Once these cyber criminals had the money in their accounts, it was swiftly moved overseas. It is believed that in the region of €370,000 has been recovered by the Gardaí and will be returned to the zoo, with the remaining €130,000 tracked to Pakistan and attempts at recovery underway. Dublin Zoo has stated that no customer details were compromised in the incident.
Scams like these are becoming increasingly common, especially as criminals can now spoof email address (so that emails appear to come from that address) without the need to hack their cyber defences. Trinity College was targeted last year in a €1 million scam, and Meath County Council was lucky to recover €4.3 million after falling victim to a similar case of CEO Fraud.
In a fresh warning from the Gardaí to Irish businesses, “Gardaí would like to advise all businesses, both large and small, that under no circumstance should you agree to change a bank account number for a supplier based on a phone call, email or other means without verifying such change with someone that is known to you in the supplier’s company”.
We can only reiterate this warning and specifically, recommend that all users receive cyber security awareness training to identify scams and phishing threats, and ultimately reduce their company’s risk of a data breach or falling victim to costly scams like these.