$56.2m lost to business e-mail scams in first 3 months of 2022

In the first three months of this year, around 93 victims lost at least $56.2 million to business e-mail compromise scams, said the police yesterday. This sum is almost 10 per cent of the $633.3 million lost to all scams last year.

Business e-mail compromise scams involve the sending of e-mails supposedly from the victims' colleagues, business partners or suppliers, informing them of a change to their company's bank account number. Unknown to the victims, these e-mails are sent by scammers, who have hacked into the e-mails of these business contacts or who are sending them from spoofed e-mail addresses.

Yesterday, the police said their Anti-Scam Centre worked with DBS Bank to recover more than US$10 million (S$13.8 million) for a United States-based victim in the finance industry. The victim had been duped into making several large transactions amounting to US$14 million to bank accounts held with DBS, after receiving spoofing e-mails purportedly from a client.

The recovery, done on May 2, is the largest sum the authorities have recovered from a single case.

The police said: "The Anti-Scam Centre received a report on the case and immediately worked with DBS to conduct fund flow tracing, which led to the identification and freezing of all the accounts controlled by the scammer."

This enabled DBS and the police to prevent the loss of most of the transactions, although US$4 million had already been transferred out of Singapore.

Over the next few days, two separate cases were linked to the same syndicate allegedly behind this heist. The police said: "In total, the amount recovered from this scam series was about US$11.5 million. The police are working closely with stakeholders to recover the remaining money lost."

For its efforts, the DBS Anti-Scam Team received the SPF Community Partnership Award at a ceremony yesterday.

Mr David Chew, director of the police's Commercial Affairs Department, said: "The responsiveness and quick actions of the bank staff enabled the successful recovery of the foreign victims' money, even though the initial report was received on a weekend."

Communications and technology professor Lim Sun Sun from the Singapore University of Technology and Design said: "Scammers make e-mails as brief as possible to give away fewer tell-tale signs, while still conveying the need for a task to be completed.

"They can easily find the organisational charts of these companies online, and (they) targeted middle and senior managers who clearly have people reporting to them and spoofed their e-mails."

Mr Andy Prakash, co-founder of cyber-security firm Privacy Ninja, noted how in such scams, the recipients of these e-mails may not be able to spot any signs that the e-mail is spoofed, if they do not have phishing e-mail detection tools installed.

He said: "Using a software, scammers can send a victim an e-mail from an address which looks identical to (the e-mail address of) the sender they are impersonating, and unless you know how to identify the original sender found inside the metadata of the e-mail, you will not be able to spot the difference."

The police remind businesses to be wary of any new or sudden changes in payment instructions.

They should verify these instructions by calling the senders of such e-mails, using phone numbers they already have instead of those provided in the fraudulent e-mails.

Join ST's Telegram channel and get the latest breaking news delivered to you.

A version of this article appeared in the print edition of The Straits Times on July 30, 2022, with the headline $56.2m lost to business e-mail scams in first 3 months of 2022. Subscribe