A Puerto Rican government employee has been duped by a phishing scam and wired more than $2.6 million to an account controlled by the scammers. The money had been allocated for remittance payments and was sent to a seemingly legitimate bank account on January 17, but it was later discovered that the transfer was fraudulent. The Puerto Rico government has managed to freeze some of the funds, and efforts are ongoing to recover the remainder of the wire transfers. As it stands, more than $2.6 million has been lost.
An employee of the Industrial Development Company of Puerto Rico received an email request from a finance employee in Puerto Rico’s Employee Retirement System requesting a change to the usual bank account for remittance payments. However, the email account had been hacked. The scammers used the account to send emails to several government agencies requesting changes to the bank accounts.
The first wire transfer of $63,000 was sent in December, with a further payment of $2.6 million sent by the Industrial Development Company of Puerto Rico on January 17. Also in January, an employee in the Tourism Company wired $1.5 million to a U.S. bank account. The scam was uncovered when a worker in the Employee Retirement System queried why the funds had not been sent.
Manuel Laboy, executive director of the Industrial Development Company, told the Associated Press “This is a very serious situation, extremely serious.” An internal investigation has been launched to determine how the email account of the worker of the Employee Retirement System worker was and the FBI is assisting with the investigation. Typically email account compromises occur as a result of employees falling for a phishing email.
News about the phishing attack comes just a few days after the FBI’s Internet Crime Complaint Center (IC3) released its 2019 Internet Crime Report. The report shows phishing is the most common type of attack, but scams such as the one experienced by the Puerto Rico government – business email compromise (BEC) attacks – result in the biggest losses. In 2019, IC3 received 467,361 complaints and more than $3.5 billion was lost to cybercrime. Only 5.09% of complaints related to BEC attacks, but they accounted for 50.75% of losses to cybercrime in 2019.