Over 110 reports of business e-mail impersonation scams in 2017, victims cheated of $13 million: Police

Police said most cases of e-mail impersonation scams typically involve businesses that have overseas dealings and which use e-mail as their main mode of communication.
Police said most cases of e-mail impersonation scams typically involve businesses that have overseas dealings and which use e-mail as their main mode of communication. PHOTO: THE NEW PAPER

SINGAPORE - More than 110 reports on business e-mail impersonation scams have been made since the start of the year, police said in a statement on Thursday (June 22).

This is an increase of about 20 per cent from the same period in 2016.

The total amount victims have lost through such scams in 2017 has exceeded $13 million - a slight decrease from the $15 million cheated for the same period last year.

In its advisory on Thursday, police said most cases typically involved business that had overseas dealings and which used e-mail as their main mode of communication.

The victims were deceived into transferring money to foreign bank accounts for business payments. They believed that they were paying their regular business partners, only to discover later that the request for payments were not made by their business partners, and the accounts did not belong to them.

In many of the cases, the police believe that the scammers may have hacked into either the e-mail accounts of the victims or their suppliers in order to familiarise themselves with their e-mail correspondences.

The scammers would then use the supplier's e-mail account or create a spoofed e-mail account, closely resembling that of the suppliers', to send e-mail instructions to the victims, asking them to transfer payments to a new bank account.

Some examples of spoofed e-mail addresses included "abc@deshpping.com" instead of the genuine address "abc@deshipping.com", and "I23@gmail.com" instead of "123@gmail.com"

In order to deceive the victims, the scammers would also sometimes closely mimic the e-mails of the real suppliers, for instance by using the same business logos, links to the company's website, or messaging format.

The unsuspecting victims would thus believe that they had received a genuine e-mail from their suppliers and transfer money to the new bank account. These victims would only know that they had fallen prey to the scam when their supplier informed them subsequently that they had not received the money.

The police said that on January 22 last year, a local company had received an e-mail that claimed to have been sent by their overseas business partner with instructions to make a payment of US$56,790 (S$78,943) to purchase equipment. Not realising that their business partner's e-mail had been compromised, the company transferred the money to the foreign bank account provided in the e-mail as instructed.

The company only realised that their business partner's e-mail account had been compromised when they discovered minor discrepancies in the e-mail addresses used by the sender.

They then called their business partner who confirmed that he had not send the email to them. Fortunately, the company's funds were successfully recalled as the remitted funds were still in the foreign bank account.

The police warn, however, that not all cases have such happy endings.

Although the police have been working closely with financial institutions and foreign counterparts to recover the funds of scam victims, successful recoveries are rare as the scammers usually transfer the funds out of the foreign bank accounts very quickly, thus making recovery difficult.

The police advice that businesses adopt the following preventive measures:

  • Prevent your e-mail account from being hacked by using strong passwords, changing them regularly, and enabling two-factor authentication;
  • Install anti-virus, anti-spyware/malware, and firewalls on your computer, and keep them updated. Use the latest computer Operating Systems and keep them updated when new patches are available;
  • Be mindful of any sudden changes in the payment instructions and bank accounts provided by your business partners or creditors;
  • Call to verify changes in payment instructions and bank accounts. Previously known phone numbers should be used instead of the numbers provided in the fraudulent e-mail;
  • Educate your employees on this scam, especially those that are responsible for making fund transfers.

If your business has been affected by a scam of this sort, the police request that you contact your bank immediately to recall the fund transfers.

To seek scam-related advice, you may call the anti-scam helpline on 1800-722- 6688 or go to www.scamalert.sg