Cybercriminals not always have to use complex software tools or sophisticated fraud campaigns to trick victims, sometimes just a few data and sending some emails is enough. According to network security specialists, Puerto Rico’s government lost about $2.5 million USD after a public employee fell victim of a phishing scam.
Rubén Rivera, chief financial officer of the
Puerto Rico Industrial Development Company, mentioned at a press conference
that threat actors tricked an official into forcing them to make a bank
transfer to a fraudulent account. The incident has already been reported to the
Rivera mentions that this government agency
made the money transfer last January 17, in response to an email informing
about an alleged change in a bank account related to the payment of
remittances. On the other hand, Manuel Laboy, the agency’s chief executive,
mentions that his network security team detected the fraud until a few days
ago; the report has even reached the Federal Bureau of Investigation (FBI)
In conclusion, Laboy mentioned that internal investigation is already underway, as the government of Puerto Rico intends to audit the agency’s network security and determine if there were any omissions in the agency that facilitated the work of the hackers. The defrauded agency’s managers declined to comment on additional details about the phishing incident, such as the position of the official targeted by the attack or the internal impact of the fraud. In addition, the Government of Puerto Rico expects the federal agency to track the fraudulent account and recover the money.
According to the International Institute of Cyber
Security (IICS), phishing campaigns remain one of the main attack variants
employed by hackers thanks to their low cost and effectiveness. The FBI
recently released its annual crime report on the Internet, which mentions that
the agency received nearly 500,000 cybercrime complaints during 2019. Of the
total complaints, more than 100 thousand are related to phishing attacks/scams
and other variants of email fraud.