A phishing scam has swindled a Puerto Rico government agency out of more than $2.6 million, according to reports.
According to reports, the email-based phishing scam hit Puerto Rico’s Industrial Development Company, which is a government-owned corporation aimed at driving economic development to the island along with local and foreign investors.
The agency reportedly received an email alleging a change to a banking account tied to remittance payments, which is a transfer of money (often by a foreign worker) to an individual in their home country. The agency sent this payment to a fraudulent account, Jan. 17.
“This is a very serious situation, extremely serious,” Manuel Laboy, executive director of the agency, told the Associated Press. “We want it to be investigated until the last consequences.”
The agency filed a police complaint on Wednesday regarding the scam, but further questions regarding how the scam was discovered, whether the agency’s operations have been impacted, and more still remain. Threatpost has reached out to the Industrial Development Company for further information.
Phishing scams continue to hit companies hard in terms of losses. Just this week, the FBI in its IC3 annual cybercrime report said that phishing and similar ploys was a top crime complaint reported to the FBI in 2019. Another form of email-based scam, business email compromise (BEC) – which the FBI said cost victims $1.7 billion in 2019 – has also continued to target large corporations and governments for profit.
In 2019, these types of attacks scammed media conglomerate Nikkei ($29 million), a Texas school district ($2.3 million) and even a community housing nonprofit ($1.2 million). Other victims of scams include the City of Ocala in Florida, which was swindled out of $742,000, and a church in Brunswick, Ohio that was scammed out of $1.75 million in August.
Authorities say that keeping an eye out for fraud and verifying any financial requests in person is the best way to avoid phishing and BEC scams.
“In the same way your bank and online accounts have started to require two-factor authentication—apply that to your life,” Donna Gregory, the chief of IC3 said this week. “Verify requests in person or by phone, double check web and email addresses, and don’t follow the links provided in any messages.”
Learn how Operational Technology and Information Technology systems are merging and changing security playbooks in this free Threatpost Webinar. Join us Wednesday, Feb. 19 at 2 p.m. ET when a panel of OT and IT security experts will discuss how this growing trend is shaping security approaches for IoT and 5G rollouts. This webinar is for security and DevOps engineers, IoT edge developers and security executives.