At least 93 victims lost $56.2m to business e-mail compromise scams from Jan to March 2022: Police

Business e-mail compromise scams involve the sending of e-mails supposedly from the victims' colleagues, business partners or suppliers. PHOTO ILLUSTRATION: ST FILE

SINGAPORE - In the first three months of 2022, around 93 victims lost at least $56.2 million to business e-mail compromise (BEC) scams, said the police on Friday (July 29).

This sum is almost 10 per cent of the $633.3 million lost to all scams in Singapore in 2021.

BEC involves the sending of e-mails supposedly from the victims' colleagues, business partners or suppliers informing them of a change to their company's bank account number.

Unknown to the victims, these e-mails are sent by scammers, who have hacked into the e-mails of these business contacts or who are sending them from spoofed e-mail addresses.

On Friday, the police said its Anti-Scam Centre worked with DBS Bank to recover more than US$10 million (S$13.7 million) for a United States-based victim in the financial industry.

The victim had been duped into making several large transactions amounting to US$14m to bank accounts held with DBS, by spoofing e-mails purportedly from the victim's client.

The recovery, which was done on May 2, is the largest sum the authorities have recovered from a single case.

The police said: "The Anti-Scam Centre received a report on the case and immediately worked with DBS to conduct fund flow tracing, which led to the identification and freezing of all the accounts controlled by the scammer."

This enabled DBS and the police to prevent the loss of most of the transactions, although US$4m had already been transferred out of Singapore.

Over the next few days, two separate cases were linked to the same syndicate allegedly behind this heist.

The police said: "In total, the amount recovered from this scam series was about US$11.5 million. The police are working closely with its stakeholders to recover the remaining money lost."

For its efforts, the DBS Anti-Scam Team received the SPF Community Partnership Award at a ceremony on Friday.

Mr David Chew, director of the Commercial Affairs Department, said: "The responsiveness and quick actions of the bank staff enabled the successful recovery of the foreign victims' money, even though the initial report was received on a weekend."

Commercial Affairs Department director David Chew (left) presenting the award to Mr Alan Teng, the head of DBS' Anti-Scam team. PHOTO: SINGAPORE POLICE FORCE

Other variations of the BEC scam include scammers impersonating the victims' supervisors and asking them to buy gift cards.

The victims would realise they had fallen prey only when they clarified with their supplier or supervisor and realised they did not make any request or receive any payment.

Communications and technology professor Lim Sun Sun from the Singapore University of Technology and Design recalled how a few years ago, a male colleague had received an e-mail purportedly sent by her, asking for help to buy a Google Play store top up card. 

She said: “Scammers make e-mails as brief as possible to give away fewer tell-tale signs while still conveying the need for a task to be completed. But my colleagues did not fall for the scam as they knew I would not typically write such a curt e-mail. 

“Scammers can easily find the organisational charts of these companies online and targeted middle and senior managers who clearly have people reporting to them and spoofed their e-mails.” 

Mr Andy Prakash, co-founder of cyber-security firm Privacy Ninja, noted how in such scams, recipients of these e-mails may not be able to spot any signs that the e-mail is spoofed, if they do not have phishing e-mail detection tools installed. 

He said: “Using a software, scammers can send a victim an e-mail from an address which looks identical to the sender they are impersonating and unless you know how to identify the original sender found inside the metadata of the e-mail, you will not be able to spot the difference.” 

The police reminded businesses to be mindful of any new or sudden changes in payment instructions. 

They should verify these instructions by calling the senders of such e-mails, using phone numbers they already have instead of those provided in the fraudulent e-mails.

To prevent work e-mail accounts from being hacked, organisations can use strong passwords, change them regularly and enable two-factor authentication whenever possible.

Businesses affected by such scams should call their bank immediately.

Those with information related to such scams are advised to call the police hotline on 1800-255-0000 or submit it online at their website.

For more information on scams, visit the Scam Alert website or call the anti-scam hotline on 1800-722-6688.

Join ST's Telegram channel and get the latest breaking news delivered to you.