POLICE ADVISORY ON VARIANT OF BUSINESS EMAIL COMPROMISE SCAM

The Police would like to alert the public to a variant of the Business Email Compromise scam. Since January 2019, the Police have received at least 90 reports of this variant, with at least $987,000 lost.

In these cases, the victims had responded to emails purportedly sent by their colleagues or employers, instructing them to purchase iTunes or Google Play cards for various work-related reasons such as gifts for clients or staff. The victims were then instructed by the scammers to send over the redemption code of the gift cards.

In past cases of Business Email Compromise scams, scammers have impersonated as CEOs, business partners, suppliers and employees of companies to request victims to transfer funds to specified accounts, claiming that the money was for business partners or salaries of other employees. Unknown to the victims, these were accounts that were controlled by scammers.

Scammers have been known to use hacked or spoofed email accounts, or email addresses that appear similar to deceive their victims. Scammers may also closely mimic emails by using the same business logos, links to the company's website, or messaging format. In some instances, they would also enclose copies of the bankbook bearing the names of employees in such emails to make the requests seem authentic. The victims would believe that they had received a genuine email and transfer money to the new bank account. They would find out that they had fallen prey to the scam when their supplier or employee informed them subsequently that they did not receive the money, or when they noticed the discrepancies in the email address, or after checking with their colleagues.

Businesses are advised to adopt the following preventive measures:

a. Be mindful of any new or sudden changes in payment instructions and bank accounts. Always verify these instructions by calling the e-mail sender. Previously known phone numbers should be used instead of the numbers provided in the fraudulent email.

a. Educate your employees on this scam, especially those that are responsible for making fund transfers for purposes such as making purchases or managing HR payroll.

i. Prevent your email account from being hacked by using strong passwords, changing them regularly, and enabling Two-Factor Authentication (2FA) where possible. Consider installing free email authentication tools such as Domain-based Message Authentication, Reporting and Conformance, DMARC (dmarc.globalcyberalliance.org), which can help detect fraudulent emails.

i. Install anti-virus, anti-spyware/malware, and firewall on your computer, and keep them updated. You may consider installing free Domain Name System (DNS) protection services such as Quad9 (quad9.net) to protect against such attacks. Lastly, update your Operating System (OS) when new patches are made available.

If your business has been affected by this scam, call your bank immediately to recall the funds.

, or submit it online at 1800-255-0000If you wish to provide any information related to such scams, please call the Police hotline at www.police.gov.sg/iwitness. If you require urgent Police assistance, please dial '999'.

or go to 1800-722-6688To seek scam-related advice, you may call the anti-scam helpline at www.scamalert.sg. Join the 'Let's Fight Scams' campaign at www.scamalert.sg/fight by signing up as an advocate to receive up-to-date messages and share them with your family and friends. Together, we can help stop scams and prevent our loved ones from becoming the next scam victim.

Source: Singapore Police Force