The Police would like to remind the public and companies to be vigilant against business email impersonation scams. Between 1 January and 31 March 2020, the Police received more than 100 reports of such scams, with more than S$9.2 million lost. The number of cases reported increased by 30% compared to the same period in 2019, with more than $12.8 million lost.
In these cases, the victims had responded to email requests seemingly from their business partners, suppliers or employees requesting for funds to be transferred to a new bank account. The victims later discovered that the email senders had used hacked or spoofed email accounts after the transfers were made to the new bank accounts. In other cases, the fraudsters pretended to be the victims’ supervisors asking the victims to purchase iTunes or Google Play cards and to send the redemption codes after paying for the stored value cards.
In order to deceive the victims, scammers may also use closely mimic emails by using the same business logos, links to the company’s website, or names of existing employees to make the email requests seem authentic. These are done to make the victims believe that they had received a genuine email. Spoofed email addresses used by the scammers may not be obvious at first glance and they often include slight misspellings or replacement of letters. These are some examples:
Genuine email address
Spoofed email address
During this COVID-19 Circuit Breaker period, many companies will have staff work from home and may require them to continue processing payments remotely. These new arrangements may possibly result in lesser or no supervisory oversight, and scammers will likely take advantage of this situation to attempt to perpetuate more business email impersonation scams.
Companies should adopt the following crime prevention measures:
a) Educate your staff to be mindful of any new or sudden changes in payment instructions and bank accounts. Always verify these instructions by calling the e-mail sender. Always use phone numbers in your record, instead of unknown numbers provided in the fraudulent email.
b) . If these employees are working from home during the Circuit Breaker period, consider putting in place additional layers of checks before payments and fund transfers are madeCreate awareness in your employees on this scam, especially those that are responsible for approving payments and making fund transfers such as making purchases or managing HR payroll.
c) Prevent your company’s generic email account from being hacked by using strong passwords, changing them regularly, and enabling Two-Factor Authentication (2FA) where possible.
d) Consider installing email authentication tools such as Domain-based Message Authentication, Reporting and Conformance, DMARC (dmarc.globalcyberalliance.org), which can help detect fraudulent emails.
e) Install anti-virus, anti-spyware/malware, and firewall on your computer, and keep them updated. You may consider installing free Domain Name System (DNS) protection services such as Quad9 (quad9.net) to protect against such attacks. Lastly, update your Operating System (OS) when new patches are made available.
You can also visit Cyber Security Agency’s GoSafeOnline website for more tips on securing your business at https://www.csa.gov.sg/gosafeonline.
If you or your business has been affected by this scam, call your bank immediately to recall the funds. If you wish to provide any information related to such scams, please call the Police hotline at 1800-255-0000, or submit it online at www.police.gov.sg/iwitness. If you require urgent Police assistance, please dial ‘999’.
To seek scam-related advice, you may call the anti-scam helpline at 1800-722-6688 or go to www.scamalert.sg. Join the ‘Let’s Fight Scams’ campaign at www.scamalert.sg/fight by signing up as an advocate to receive up-to-date messages and share them with your family and friends. Together, we can help stop scams and prevent our loved ones from becoming the next scam victim.
SINGAPORE POLICE FORCE
06 May 2020 @ 5:50 PM