average loss for an Irish SME that was successfully defrauded by an email-related scam
BPFI / FraudSMART · Two years to March 2026
Ireland has something most European countries lack: banks that count invoice redirection against small businesses and publish the number. It is not a flattering one, and it has risen at every reading.
Last reviewed July 2026 · Every statistic card links to its source
lost by Irish SMEs to email-related scams over two years — invoice redirection was the majority of cases, with CEO impersonation second
BPFI / FraudSMART · Two years to March 2026
average loss for an Irish SME that was successfully defrauded by an email-related scam
BPFI / FraudSMART · Two years to March 2026
of Irish SMEs were targeted by financial scams in the past 12 months — and 88.4% of those attempts arrived by email
BPFI / FraudSMART survey with ISME · 12 months to March 2026
of scam attempts against Irish SMEs arrived by email (vs 51.2% by phone and 48.8% by text)
BPFI / FraudSMART survey with ISME · 12 months to March 2026
of Irish SMEs have no fraud-awareness guidelines and no staff training programme
BPFI / FraudSMART · As of March 2026
in total fraudulent payments across all instruments reported by Irish payment providers, up from €128.6 million in 2023
Central Bank of Ireland, Payment Fraud Statistics · Calendar 2024
in fraudulent credit transfers in Ireland, across 30,255 fraudulent transactions — the rail supplier invoices are paid on
Central Bank of Ireland, Payment Fraud Statistics · Calendar 2024
Ireland is one of only six EU/EEA countries where customers do NOT bear more than 80% of credit-transfer fraud losses — Irish banks absorb more than most. It is still not a reimbursement right
EBA/ECB 2025 Report on Payment Fraud · Calendar 2024
of fraudulent credit-transfer value across the EU/EEA came from "manipulation of the payer" — the account holder was deceived into authorising the transfer themselves (up from 65% in 2023)
EBA/ECB 2025 Report on Payment Fraud · Calendar 2024
Ireland's banks publish what most of Europe does not: a loss figure for the fraud that specifically targets businesses paying invoices. Through FraudSMART, the Banking & Payments Federation Ireland reported €18.9 million lost by SMEs to email-related scams over two years to March 2026 — and named invoice redirection as the majority of cases, with CEO and executive impersonation second.
The per-incident economics are what make this existential for a small company: the average loss for an SME that got hit was more than €22,000. And the exposure is close to universal — 67% of Irish SMEs were targeted by a financial scam in the previous 12 months, with 88.4% of attempts arriving by email. Over half of Irish SMEs, 53%, have no fraud-awareness guidelines or staff training at all.
The regulatory data tells the same story from the bank side. The Central Bank of Ireland's payment-fraud statistics put total fraudulent payments across all instruments at €160.2 million in 2024, up from €128.6 million in 2023 — with €67.7 million of it on credit transfers, the instrument used to pay suppliers.
Ireland is unusual in one respect worth knowing: it is one of only six EU/EEA countries where customers do not bear more than 80% of credit-transfer fraud losses — Irish banks absorb a comparatively larger share than banks elsewhere in Europe. That is a genuine difference, but it is not a reimbursement right, and it should not be mistaken for one.
Ireland has no mandatory reimbursement scheme for authorised push payment fraud — nothing equivalent to the UK regime that splits the cost between sending and receiving banks. The Central Bank of Ireland expects firms to have effective measures to mitigate fraud and to engage with customers; it does not compel them to refund a payment the customer authorised.
The Oireachtas Joint Committee on Finance recommended Ireland consider a UK-style scheme in its October 2024 report on APP fraud, and repeated the call in May 2026. As of July 2026 it remains a recommendation. A business that pays a fraudulent invoice today has no statutory right to get the money back.
Verification of Payee has been mandatory since 9 October 2025 under the EU Instant Payments Regulation, and Irish banks — AIB, Bank of Ireland, PTSB, An Post Money and the credit unions — have rolled it out. As everywhere in the euro area, it warns rather than blocks, and it cannot detect a bank-detail change made inside a hijacked email thread, where the name and IBAN the fraudster supplies match each other.
One Irish development is worth watching for smaller companies: the Central Bank's Consumer Protection Code 2025, in force from March 2026, widens the definition of "consumer" to include incorporated bodies with annual turnover under €5 million — bringing many small Irish businesses inside protections previously reserved for individuals. The detail of how far that reaches in a fraud dispute is still being tested.
The Irish data is unusually direct about the exact crime this page is about. Invoice redirection is not a sub-category of something broader here — it is named, counted, and identified as the majority of the €18.9 million Irish SMEs lost to email scams over two years, at more than €22,000 a time.
The exposure numbers explain why it works: two thirds of Irish SMEs were targeted in a year, nearly nine in ten of those attempts came by email, and more than half of Irish SMEs have no fraud training or guidelines in place at all. The attack arrives in the same inbox and the same format as every legitimate invoice.
PayHQ is the control that gap is asking for: every incoming invoice is checked against the supplier record your team has already verified — name, registration and bank details — and a changed account is held for review before the payment is released, rather than discovered afterwards.
Irish SMEs lost €18.9 million to email-related scams over the two years to March 2026, and BPFI/FraudSMART name invoice redirection as the majority of those cases. The average loss for an SME that was successfully defrauded was more than €22,000.
There is no mandatory reimbursement scheme in Ireland for authorised push payment fraud. The Oireachtas finance committee has twice recommended considering one — in October 2024 and again in May 2026 — but as of July 2026 it is not law.
67% of Irish SMEs were targeted by a financial scam in the 12 months to March 2026, and 88.4% of those attempts arrived by email. More than half of Irish SMEs have no fraud-awareness training or guidelines.
Somewhat. Ireland is one of only six EU/EEA countries where customers do not bear more than 80% of credit-transfer fraud losses, so Irish banks absorb a larger share than most. That is a statistical pattern, not a legal right — it does not mean your business will be refunded.
Every statistic on this page was checked against the named source in July 2026. Ireland's SME figures are losses reported by FraudSMART member banks, not a police count. Note that Ireland's CSO recorded-crime statistics are not usable here: the CSO excludes most bank-reported fraud from its published fraud series and formally cautions against reading those figures as complete. Figures describe what each source measures — reported losses are not the same as total losses, and most fraud goes unreported. National figures are not directly comparable between countries, because each country counts differently. When a figure cannot be verified against a primary source, we remove it rather than keep it.
PayHQ checks every incoming invoice against your verified supplier records and flags changed bank details before the payment goes out.