Financial Crime World

$4 Million Stolen in Email Scam Targeting Puerto Rican Agencies: What We Know So Far

The Puerto Rican government is reeling from an email scam that resulted in the theft of over $4 million from several agencies, deepening concerns about the security of local government finances during an economic crisis. Here’s what we know so far.

The Scam

The scam came to light in December when someone hacked into the computer system of an employee at the Employee Retirement System (ERS), according to José Ayala, director of the fraud unit within the bank robbery division. The hacker then impersonated the female employee and sent fraudulent emails to various agencies, instructing them to send payments to fictitious accounts.

Victims

The first reported victim was Puerto Rico’s Industrial Development Company (PIDC), which transferred $63,000 in December and over $2.6 million in January to the fraudulent accounts. The second victim was the island’s Tourism Company, which wired $1.5 million to the scammers’ accounts in January.

Exposure and Investigation

The scam was exposed when the ERS employee discovered that the payments had not been received, prompting investigations by the agencies and the authorities. El Nuevo Día, a Puerto Rico daily newspaper, reported the Tourism Company’s $1.5 million payment earlier. PIDC’s payment was made public through a police report.

No other government agencies have reported losing money due to the scam, Ayala told The Associated Press. The Federal Bureau of Investigation (FBI) is investigating the incident.

Fiscal Crisis and Frustration

Puerto Rico Rep. Ramón Luis Cruz expressed frustration over the lack of information provided so far. “The government of Puerto Rico is in a serious fiscal crisis. It doesn’t have enough money to fulfill its obligations,” he stated. In light of this, Cruz filed legislation demanding a comprehensive investigation into the incident.

Previous Instances

Similar situations have occurred within the past few months in other parts of the United States. In Manor, Texas, a school district reported an email phishing scam that resulted in the loss of $2.3 million. Local officials in Griffin, Georgia, reported losing over $800,000 following an email requesting an account change.

Widespread Threat

Business email compromise cases, in which hackers spoof or compromise an email account from a legitimate person or company, were reported on the U.S. mainland over 23,700 times in 2021, resulting in total adjusted losses of over $1.7 billion. A special FBI team reported recovering more than $300 million that was stolen through such scams in 2021.

Recovery Efforts

PIDC Executive Director Manuel Laboy told AP that the agency is actively seeking to recover the stolen funds. The Tourism Company and the governor’s office declined to provide further details, citing the ongoing investigation.

Demands for Answers

Local legislators have demanded answers to questions surrounding the incident, with Puerto Rican Rep. Jesús Manuel Ortiz expressing dissatisfaction over the lack of information. “There are a lot of questions that have not been answered,” Ortiz told the AP, calling on the government to be transparent about the incident. “The government has to explain what happened.”