At least $32 million lost to Business Email Compromise scam

| 27 Nov 2019

Between January and September 2019, 276 reports of Business Email Compromise scam were received, with at least $32 million lost. In these cases, the victims had responded to email requests for them to transfer funds to their business partners or their employees as salaries, only to discover that the senders had used hacked or spoofed email accounts after the transfers were made. The accounts, which the victims were requested to transfer the funds to, did not belong to the business partners or employees.

How this scam works:

In past cases of Business Email Compromise scams, scammers have impersonated as CEOs, business partners or suppliers. A new variant of the scam has been observed whereby scammers are impersonating as the company’s employees.

The scammers would use a hacked email account or use a spoofed email address to send email instructions to the victims, asking them to transfer payments to another bank account which were controlled by the scammers.

Spoofed email addresses used by the scammers often include slight misspellings or replacement of letters, which may not be obvious at first glance. These are some examples:

 

In order to deceive the victims, the scammers may also closely mimic emails by using the same business logos, links to the company’s website, or messaging format. Scammers would also enclose copies of the bank book bearing the name of employees in such emails to make the requests seem authentic. The victims would believe that they had received a genuine email and transfer money to the new bank account. The victims would only find out that they had fallen prey to the scam when their supplier or employee informed them subsequently that they did not receive the money.

Prevention measures:

  1. Be mindful of any new or sudden changes in payment instructions and bank accounts. Always verify these instructions by calling the e-mail sender. Previously known phone numbers should be used instead of the numbers provided in the fraudulent email.
  2. Educate your employees on this scam, especially those that are responsible for making fund transfers, such as purchasing or HR payroll.
  3. Prevent your email account from being hacked by using strong passwords, changing them regularly, and enabling Two-Factor Authentication (2FA) where possible.
  4. Install free email authentication tools such as Domain-based Message Authentication, Reporting and Conformance, DMARC (dmarc.globalcyberalliance.org), which can help detect fraudulent emails. 
  5. Install anti-virus, anti-spyware/malware, and firewall on your computer, and keep them updated. You may consider installing free Domain Name System (DNS) protection services such as Quad9 (quad9.net) to protect against such attacks. Lastly, update your Operating System (OS) when new patches are made available.

If your business has been affected by this scam, call your bank immediately to recall the funds.

If you wish to provide any information related to such scams, please call the Police hotline at 1800-255-0000, or submit it online at www.police.gov.sg/iwitness.