Businesses in Singapore have lost around $19 million so far this year, after falling prey to a fast-growing scam where hackers impersonate company executives or business partners in e-mails.
The culprits use spoofed e-mail accounts that closely resemble genuine e-mail addresses to communicate with victims and ask for money.
The latest police figures showed that from January to September this year, there were 165 cases of e-mail impersonation scams. This was up 20 per cent from the same period last year.
The scam usually involves businesses with frequent overseas dealings which communicate with their clients mainly via e-mail.
Mr Nilesh Desai, 43, who heads a small coal-trading company based in Singapore, was among those duped in May. In a matter of days, he lost a total of US$300,000 (S$423,700), after his company's in-house server was hacked and one of his employees was tricked into transferring the amount to an unknown Polish bank account.
The money was meant to be wired to an Indonesian mining company, one of his regular clients.
TIPS FOR BUSINESSES TO GUARD AGAINST E-MAIL IMPERSONATION SCAMS
To prevent your e-mail account from being hacked
Use strong passwords and change them regularly
Enable two-factor authentication
Install antivirus, anti-spyware/malware and firewall programs on your computer and keep them updated
To ensure that you don't fall prey to e-mails sent using spoofed accounts
Be mindful of sudden changes in your business partners' or creditors' payment instructions and accounts
If in doubt, verify changes in bank account details using phone verification. Telephone numbers that are previously known should be used instead of the numbers provided in the e-mails, as they may be compromised
Educate employees on the scam, especially those responsible for making fund transfers
Mr Nilesh had received the request for payment from the client through e-mail while on a business trip to South Kalimantan.
"It was a routine transaction. So while I was in transit, I sent an e-mail to my finance manager to remit the first amount of US$200,000 over, and I did not think too much about it," he said.
His employee did not notice anything amiss and made the transfer, as the e-mail appeared genuine.
The police said that in some instances, scammers are able to closely mimic e-mails of real business partners by using the same company logo and message format, or by including links to fake websites.
The scammers struck again a few days later, asking for another US$100,000, which he also transferred.
"It was not a small sum for us. We had just started growing as a company, so finding out it was all a scam was definitely a huge blow to me," Mr Nilesh said. "I just didn't think we would be targeted."
He made a police report after realising that his client had not received the payment.
While police investigators were later able to recover about a third of the total amount he had lost, Mr Nilesh said it has still been an "expensive lesson learnt".
Since then, he has started hosting his company's information and data on a cloud network, and ensures that any necessary fund transfers are communicated between staff either face to face or through phone calls.
He said: "Whatever happened to us could happen to anyone, and it could cost millions of dollars.
"Counterchecks are critical and it is important to be proactive in guarding against these scammers."