Financial Crime World

Puerto Rico Hit by Major Cybercrime Scam: Millions Lost in Email Hack

Summary

A sophisticated email scam has resulted in the loss of millions of dollars from public pension funds in Puerto Rico. The scheme was carried out through a hacked email account of an employee at the Puerto Rico Employment Retirement System.

The Scam Unfolds

In December 2019, the Puerto Rico Industrial Development Company (PRIDCO) transferred $63,000 to fraudulent accounts. In January 2020, PRIDCO and the Puerto Rico Tourism Company sent over $3.1 million to the same fraudulent accounts. The scam was discovered when a finance worker at the Employee Retirement System reported that she had not received any payments, only to be told by officials that they had already been sent.

How it Worked

The scheme involved hacking an employee’s email account and sending emails to recipients informing them of a change in banking accounts where payments were previously remitted. Employees at PRIDCO then transferred the money to fraudulent accounts without verifying the authenticity of the request.

Business Email Compromise (BEC)

Cybersecurity experts say that this type of attack, known as Business Email Compromise (BEC), has become increasingly common and can result in significant financial losses for companies. BEC attacks typically involve hacking an employee’s email account and using it to request payments or money transfers be sent to fraudulent bank accounts.

Investigation and Recovery

The Puerto Rico government is currently investigating how the email account was hacked and attempting to recover the lost funds, with $2.9 million frozen so far.

Prevention Measures

To prevent such attacks, cybersecurity experts advise companies to:

  • Educate employees: Educate your employees on how to spot suspicious emails and take steps to secure their email accounts.
  • Verify transactions: Verify transactions and fund transfers before sending payments or money transfers.
  • Secure email accounts: Secure email accounts with strong passwords and two-factor authentication.
  • Inspect links and attachments: Inspect links and attachments before clicking them.

Artificial Intelligence-based Solutions

As threat actors use social engineering tactics to make these attacks more believable, it is becoming increasingly difficult for human judgment alone to distinguish real emails from fake ones. Companies can use technology-based solutions that employ artificial intelligence to detect signs of email impersonation.

Conclusion

The incident serves as a stark reminder of the importance of cybersecurity in preventing financial losses and protecting sensitive information. As cybercriminals continue to evolve their tactics, it is crucial for individuals and organizations to stay vigilant and take proactive measures to protect themselves from these types of attacks.