Puerto Rico government falls for $2.6 million email scam
As if Puerto Rico wasn’t having a hard enough time as it attempts to recover from a recession, the damage caused by devastating hurricanes in recent years, and a damaging earthquake last month, it now finds itself being exploited by cybercriminals.
According to media reports, the government of the US island territory has lost more than US $2.6 million after falling for the type of email scam that has plagued companies and organisations around the world.
Rubén Rivera, the finance director of Puerto Rico’s Industrial Development Company, filed a complaint with local police yesterday that his government agency had mistakenly transferred the money into a bank account run by scammers.
Over $2.6 million was reportedly wired into the fraudulent bank account, after the agency received an email requesting a change to the bank account tied to remittance payments.
According to the agency’s executive director, Manuel Laboy, officials only realised that the payment had gone into the wrong account earlier this week, and the FBI was immediately informed.
It is unclear whether the Puerto Rico government will be able to recover the lost money – news which, will no doubt, frustrate islanders.
From the sound of things, this was a classic Business Email Compromise (BEC) scam.
One common technique used by BEC fraudsters is to break into email accounts (perhaps having stolen login credentials by a phishing attack), discover what projects and work is being done for a company by third-party suppliers, and then trick finance departments into believing the details of the bank account into which they are making payments have changed.
But you don’t need to have compromised an organisation’s email account to successfully pull off a BEC scam. You could simply purchase a lookalike domain name in the hope that you’ll trick an employee into believing you are a senior member of staff or supplier.
Whatever the technique used, it’s clear that BEC attacks do not have to be sophisticated and yet can be tremendously fruitful.
Recently released statistics from the FBI’s Internet Crime Complaint Center reveal that almost half of all reported cybercrime-related losses during 2019 were the result of BEC scams – totalling over US $1.7 billion.
An average BEC victim is tricked out of US $75,000, but – as can be seen in this and other cases – sometimes the figure fraudsters manage to steal from unsuspecting organisations can be much much larger.
All organisations must educate staff against the threats and put mechanisms in place to reduce the chances of a potential fraud succeeding.