Four Puerto Rican government agencies fell victim to a phishing scheme in January 2020, sending millions of public pension fund dollars to cybercriminals within a short stretch of time. Thankfully, officials unearthed the scam soon after the transfers occurred; unfortunately, only part of the money transmitted was recovered by authorities.
The phishing scheme began when a hacker(s) breached an employee’s computer at Puerto Rico’s Employment Retirement System in December 2019. Personnel of Puerto Rico’s Industrial Development Company then received a falsified email informing them of a change to a banking account tied to remittance payments and responded by sending $2.6 million to the fraudulent account January 17. A similar scheme simultaneously occurred with Puerto Rico’s Commerce and Export Company who sent the cybercriminal(s) $63,000. RELATED: HIPAA Compliant Email Puerto Rico’s Tourism Company sent $1.5 million. In total, the well-coordinated online scam stole over $4 million. Officials discovered the problem when someone at the retirement agency asked why it had not received its payments. As of today, authorities have frozen only $2.9 million of the total sent. Officials are unfortunately still unsure what personally identifiable information the hacker(s) stole, which could have dire, lasting consequences. Ongoing investigations by the Federal Bureau of Investigation (FBI) and various departments of the Puerto Rican government attempt to understand how this could happen and by who.
According to the FBI’s recently released 2019 Internet Crime Report, phishing and related scams remain a top complaint. In fact, of the 467,361 complaints, 114,702 victims reported phishing and related schemes. Business email compromise cost victims $1.7 billion. The total lost by all complainants exceeded $3.5 billion and have grown in the last 5 years. In 2015, $1.1 billion was lost; in 2018, $2.7 billion. Such increases, along with the proliferation of advanced, well-coordinated attacks, demonstrate the importance of and need for strong cybersecurity.