As if Puerto Rico wasn’t having a hard enough time as it attempts to recover from a recession, the damage caused by devastating hurricanes in recent years, and a damaging earthquake last month, it now finds itself being exploited by cybercriminals.

According to media reports, the government of the US island territory has lost more than US $2.6 million after falling for the type of email scam that has plagued companies and organisations around the world.

Rubén Rivera, the finance director of Puerto Rico’s Industrial Development Company, filed a complaint with local police yesterday that his government agency had mistakenly transferred the money into a bank account run by scammers.

Over $2.6 million was reportedly wired into the fraudulent bank account, after the agency received an email requesting a change to the bank account tied to remittance payments.

According to the agency’s executive director, Manuel Laboy, officials only realised that the payment had gone into the wrong account earlier this week, and the FBI was immediately informed.

It is unclear whether the Puerto Rico government will be able to recover the lost money – news which, will no doubt, frustrate islanders.

From the sound of things, this was a classic Business Email Compromise (BEC) scam.

One common technique used by BEC fraudsters is to break into email accounts (perhaps having stolen login credentials by a phishing attack), discover what projects and work is being done for a company by third-party suppliers, and then trick finance departments into believing the details of the bank account into which they are making payments have changed.

But you don’t need to have compromised an organisation’s email account to successfully pull off a BEC scam. You could simply purchase a lookalike domain name in the hope that you’ll trick an employee into (Read more...)