The Police have observed an increase in email impersonation scams. From January to September 2016, a total of 165 cases had been reported, an increase of 20% compared to the same period last year. In 2016 alone, the total amount lost through this type of scam is approximately $19 million.
The email impersonation scam usually involve businesses with overseas dealings and use email as their main mode of communication. Scammers first hack into either the victim’s or victim’s business partner’s email accounts. They will obtain information from emails and impersonate someone whom the victim has dealings with, such as a business partner. They then create spoofed email accounts to communicate with the victim and ask for money.
Spoofing can be done by creating and using a new email address that very closely resembles the genuine email address. (See examples below.)
|
Genuine Email |
Spoofed Email |
The victim may not notice the difference in email addresses, and assume it was receiving a genuine email. Scammers may also closely mimic emails of the real business partner, for example, by using the same business logo and message format, and sometimes including links to websites that are convincingly similar to the real business partner’s homepage.
Scammers will use spoofed email accounts to inform the victim that there is a problem with the usual bank account. The scammer will then provide details of a new bank account which payment should be made to.
The Police have been working closely with foreign counterparts and managed to recover more than USD 100,000 for one of the email impersonation scam case.
On 27 May 2016, a local company had received an email from its overseas business partner requesting for money. They were unaware that the business partner’s email account was compromised and scammers had impersonated them and asked for money to be transferred to a bank account in another country. Believing the email to be genuine, they transferred money to the foreign bank account and realised a few days later when their business partner informed them that they did not receive the money.
Upon receiving this case, the Police conducted investigations and contacted its foreign counterpart to recover the funds. It was fortunate that a portion of the remitted funds were still in the foreign bank account and was recoverable. Successful recoveries like this are few and far between. This is because scammers would typically swiftly cause funds to be completely transferred out of the bank accounts they control.
If you discover that your business is a victim of such a scam, contact your bank immediately to recall the funds, and report the matter to the Police.
To avoid becoming a victim of email impersonation scam, Police advise businesses to take the following precautions:
-
To prevent your own email account from being hacked:
· Use strong passwords and change passwords of email accounts regularly;
· Enable two-factor authentication for your email accounts;
· Install anti-virus, anti-spyware/malware and firewall on your computer and keep them updated
-
As it could be your business partner’s email accounts that are hacked:
· Be mindful of any sudden changes in your business partners or creditors' payment instruction and accounts. If in doubt, verify changes in bank account details using phone verification. Previously known telephone numbers should be used instead of the numbers provided in the emails as it may be compromised; and
· Educate your employees on this scam, especially employees responsible for making fund transfers.
SINGAPORE POLICE FORCE
14 November 2016 @ 9:00 AM