Puerto Rico Government Loses $2.6m in Phishing Scam

Written by

A Puerto Rican government agency unintentionally gave cyber-criminals $2.6m after being taken in by an email phishing scam.

A senior official of the island's government confirmed that money allocated for remittance payments had been wired by a government agency to what appeared to be a genuine bank account on January 17. It later transpired that the account was fraudulent. 

The money was transferred by an unsuspecting employee of Puerto Rico's Industrial Development Company, a government-owned corporation whose mission is to work with local and foreign investors to drive economic development on the island along. 

The agency's finance director said a complaint was filed with police on Wednesday in relation to the incident, which was uncovered earlier this week.

According to a police statement, director of the Industrial Development Company Rubén Rivera said the government agency made the transfer after receiving an email regarding a change in how remittance payments should be processed.

The email falsely claimed that the existing bank account used for remittance payments should no longer be used for this purpose and informed the agency that the money should be sent to a new bank account. It was this new account that turned out to be fraudulent and in the control of cyber-criminals. 

Word of the incident was first reported yesterday by the Associated Press, though no details were given as to how the deception was uncovered. It is unclear whether Puerto Rican officials have been able to recover any of the $2.6m or who may have been behind the scam. 

"This is a very serious situation, extremely serious," Manuel Laboy, executive director of the Industrial Development Company, told the Associated Press. 

"We want it to be investigated until the last consequences."

Email phishing scams were a top crime complaint reported to the Federal Bureau of Investigation (FBI) in 2019, according to the IC3 annual cybercrime report released by the bureau earlier this week. 

Last year, this type of attack swindled media conglomerate Nikkei out of $29m, scammed $2.3m from a Texas school district, and conned a British community housing non-profit into forking over $1.2m.

What’s hot on Infosecurity Magazine?