The Police would like to alert the public to business email compromise scams, where scammers would impersonate as victims’ business partners or employees via spoofed emails. Since January 2022, at least 149 victims have fallen prey, with losses amounting to at least $70.8 million.
In these cases, the scammers would impersonate as victims’ colleagues, business partners or suppliers via a hacked email account or a spoofed email address. The spoofed email addresses used by the scammers often include slight misspellings or replacement of letters, which may not be obvious at first glance. The email would inform the victims that there was a change in their companies’ bank account number and request them to transfer payments to another bank account. The victims would believe that they had received a genuine email and transfer money to the new bank account. In some cases, the victims were asked to assist their supervisor to purchase gift cards and provide the activation keys. The victims would only find out that they had fallen prey to the scam when they clarified with their supplier or supervisor and realise that they did not make any request or receive any payment.
Businesses are advised to adopt the following preventive measures:
- Be mindful of any new or sudden changes in payment instructions and bank accounts. Always verify these instructions by calling the email sender. Previously known phone numbers should be used instead of the numbers provided in the fraudulent email.
- Educate your employees on this scam, especially those that are responsible for making fund transfers, such as those engaged in purchasing or HR payroll. This is especially important as a single mistake could seriously affect a small or medium sized company.
- Prevent your email account from being hacked by using strong passwords, changing them regularly, and enabling Two-Factor Authentication (2FA) where possible. Consider installing free email authentication tools such as Domain-based Message Authentication, Reporting and Conformance, DMARC (dmarc.globalcyberalliance.org), which can help detect fraudulent emails.
- Install anti-virus, anti-spyware/malware, and firewalls on your computer, and keep them updated. You may consider installing free Domain Name System (DNS) protection services such as Quad9 (quad9.net) to protect against such attacks.
- Ensure that your Operating System (OS) is up-to-date and update the OS when new patches are made available.
- Never provide the gift card activation key without receipt of payment.
If your business has been affected by this scam, call your bank immediately to request for recall of funds.
For more information on scams, members of the public can visit www.scamalert.sg or call the Anti-Scam Hotline at 1800-722-6688. Anyone with information on such scams may call the Police Hotline at 1800-255-0000 or submit information online at www.police.gov.sg/iwitness. All information will be kept strictly confidential.
Examples of spoofed email addresses
SINGAPORE POLICE FORCE
21 May 2022 @ 11:25 AM