Before we start I want to call out that the only way something like this succeeded is a failure of the process. Humans make mistakes.
A process that allows people to make mistakes is a failure in the process, not the individual's failure.
It is possible also to mimic an email address, but Google and other email providers will usually auto-mark that as spam as the signatures won't match. So this person didn't even bother, they didn't even try buying a similar domain, this was just a shotgun attack and likely part of a larger email campaign.
It hit us at the right place, at the right time, when we were in a vulnerable process position.
What was the failure in the process?
The first mistake here is on me — this process is on occasion side stepped, either for creditors who refuse our 30 days payment terms or for once-off payments that need to be escalated.
Our new process for this will require verbal communication to confirm AND a second sign-off in our banking software.
In Revolut Business you can set a limit to individuals or roles that require a second person to sign off a payment. We initially had that, and it was set around €1000.
I must have removed it at some point, because it is tedious, and probably thought to myself that I would reinstate it the next day, but I never did.
The biggest mistake here is that it puts all the responsibility on one person, which is unfair.
Something like this is a gut punch to anyone or any business, that is a lot of money to anyone. I think the obvious reaction by anyone is to get a bit emotional. To get angry, to get sad, to get frustrated, and I was.
But I wanted to be professional about this, and treat it healthily. There was no value in playing blame games or giving negative thoughts any space.
My priorities were to:
We bank with Revolut Business, which up until now has been bumpy but overall good. We reached out to Revolut but they only had chat support, which let me tell you.. when you're under pressure you want to speak to a human, nothing pisses you off more than having to deal with chat on your phone with a disinterested call centre person.
The bank essentially said that they would see what they could do, and they made it sound hopeful, but they insisted that I speak to the authorities and get them a 'crime reference number'.
They eventually got back to me and said that they followed all their process and it wasn't their problem.
Revolut Business was unable to freeze the transfer, and the receiving bank Deutsche bank/Post Bank hasn't responded.
I called the Guards but they refused to create a case or take a report over the phone. I was at a wedding and in no state to present at a station so they told me to come into my local tomorrow. I did this, and haven't heard a peep since.
I also notified our insurance company Hiscox, and they moved a lot faster. By Monday they had a legal team working with me, offered to bring in a cyber professional, and had made direct contact with the Garda Economic Crime Bureau to get me a case number and a lead on their side.
I only bought a cyber cover as an afterthought due to all the HSE leaks over the last few months, boy am I glad I did now.
I had several calls with my accounts team that day and the following days, and my message is clear on this.
It was not their fault. This is a business, a mistake was made, and the process allowed that mistake to go through.
When you are dealing directly with money things feel a lot more real and emotional. Would I feel the same if someone told me a feature would be a week late? It might cost us the same amount, but I probably wouldn't be as cut up about it?
Humans are just weird about money.
I wish I could say I know what is going to happen but I don't. I doubt Revolut or the authorities will retrieve the money, and I don't hold out huge hope in insurance covering this.
So I'm taking it as a learning experience. We're going to focus on our process, our security and tightening things up. This could have been way worse and we're lucky it wasn't.
I hope you can learn something from this.