After compromising the email account of a government official at one agency, targeted phishing attacks were sent from this trusted contact to other government agencies purporting that bank accounts for receiving their payments had changed. Puerto Rico’s Industrial Development Company sent over $2.6 million while the Tourism Company paid $1.5 million to fraudster-controlled accounts held on the US mainland.
Spear phishing refers to targeted phishing campaigns that first target persons of trust within an organization before using their clout to target persons of power or fiscal duties at the same or another organization. Whereas standard phishing is commonly targeted at consumers, spear phishing goes after “whales,” or large targets that can yield a large payout, and primarily target business, governments and municipalities who frequently make high-dollar payments or transfers.
In the case of recent spear phishing attacks against Puerto Rico, this involved targeting people across different government agencies. This began by compromising an employee’s computer with Puerto Rico’s Employee Retirement System. The fraudster then sent emails from this employee’s account, impersonating this person of trust to tell others they were changing bank account numbers for accounts receivable. At least two agencies took the bait.
The Industrial Development Company of Puerto Rico made two payments to fraudster-owned bank accounts: $63,000 in December followed by $2.6 million in January. Puerto Rico’s Tourism Company made one payment of $1.5 million. The spear phishing scam was uncovered in February when the employee who had their computer and email compromised called both agencies to check on the status of payments that were now late. Having already sent the payments, the agencies then knew to contact law enforcement.
The FBI is currently investigating how the computer of the employee of Puerto Rico’s Employee Retirement System was compromised. Although more than $4 million was sent to wrong accounts authorities have been able to freeze $2.9 million which should ultimately be recovered.
For more information: