Victims of spoofed work e-mails suffer losses of over $70m, 149 victims in 2022

These spoofed e-mail addresses often include subtle misspellings, or replacement letters, which might not be obvious. PHOTO: ST FILE

SINGAPORE - Since the start of the year, at least 149 people have fallen prey to a scam involving spoofed work e-mails, with losses amounting to at least $70.8 million.

In a statement on Saturday (May 21), the police said the scammers, using a hacked e-mail account or e-mail address, would impersonate the colleagues, business partners or suppliers of the victims.

Often times, these spoofed e-mail addresses would include subtle misspellings, or replacement letters, which might not be obvious at first glance.

Victims would get e-mails informing them that there was a change in bank account number, with a request that they make payment to other bank accounts.

Having been duped into believing that the e-mails were genuine, the victims would transfer funds to the new accounts.

In some cases, victims were instructed to purchase gift cards and provide the activation keys for their supervisors.

Victims realised they had fallen prey to a scam only when they checked with their suppliers or supervisors, who clarified that no request was made nor any payment received.

The police say these preventive measures should be adopted:

- Be mindful of any new or sudden changes in payment instructions and bank accounts. Always verify by calling the e-mail sender using previously known phone numbers, instead of those provided in the e-mail.

- Educate employees on this scam, especially those responsible for making fund transfers such as those engaged in purchasing or payroll.

- Prevent your e-mail account from being hacked by using strong passwords, changing them regularly and enabling two-factor authentication, where possible. Consider installing free e-mail authentication tools such as Domain-based Message Authentication, Reporting and Conformance.

- Install anti-virus, anti-spyware/malware and firewalls on your computer, and keep them updated. You may consider installing free Domain Name System protection services such as Quad9.

- Ensure that your operating system is up to date by updating when new patches are made available.

- Never provide the gift card activation key without receipt of payment.

Businesses that have been affected by this scam should contact their banks immediately to request for a recall of funds.

For more information on scams, the public can visit this website or call the anti-scam hotline on 1800-722-6688. Anyone with information on such scams can call 1800-255-0000 or submit information here.

Join ST's WhatsApp Channel and get the latest news and must-reads.