Puerto Rico’s government lost millions of dollars in an email scam that was perpetrated through the hacked email account of an employee of the Puerto Rico Employment Retirement System. Most of the fund transfer reportedly came from the Puerto Rico Industrial Development Company (PRIDCO), which sent US$63,000 to fraudulent accounts in December 2019 and over US$2.6 million in January 2020. The Puerto Rico Tourism Company also sent US$1.5 million in January.
Employees from PRIDCO transferred the money after receiving an email that informed recipients about a change in the banking account where they previously remittance payments. The email came from threat actors who hacked and used the account of the finance worker at the Employee Retirement System.
The scheme was discovered when the finance worker called the agencies to let them know that she did not receive any payments, only to be told by the officials that they already sent the money.
The payments, which were sent to a fraudulent account in the U.S., involve public pension funds. The Puerto Rico government is attempting to recover the money, with US$2.9 million frozen so far. How the email account was hacked is currently being investigated.
Thwarting business emails compromise (BEC) attacks
Account compromise, a type of business email compromise (BEC) attack, involves the hacking of an employee’s email account to request payments or money transfers sent to fraudulent bank accounts. The threat has significantly grown over the past few years, as more cybercriminals used it to rob millions of dollars from companies. Trend Micro has predicted that such email attacks will continue to proliferate through the use of both old and new tactics.
Companies are advised to spread awareness among employees on how to spot the different types of BECs and other similar threats. Below are a few steps that employees can take to defend against email compromise attacks:
- Verify transactions and fund transfers. Confirm payment requests with the sender through other known channels, like phone calls.
- Look closely at emails to spot suspicious elements such as unexpected payment requests, messages written with a sense of urgency, grammatical mistakes and misspellings, or obvious deviations from the sender’s usual writing style.
- Secure email accounts by using strong passwords, enabling two-factor authentication, and inspecting links and attachments before clicking them.
As threat actors use social engineering to make these attacks more believable, it becomes more difficult for human judgment alone to distinguish real emails from fake ones. Enterprises can use solutions that use technology that can protect users from BEC scams. Writing Style DNA, which is used by Trend Micro™ Cloud App Security™ and ScanMail™ Suite for Microsoft® Exchange™, uses artificial intelligence (AI) to study a user’s writing style based on past emails, helping detect signs of email impersonation.
Like it? Add this infographic to your site:
1. Click on the box below. 2. Press Ctrl+A to select all. 3. Press Ctrl+C to copy. 4. Paste the code into your page (Ctrl+V).
Image will appear the same size as you see above.