Police tell employers to educate staff to avoid being victimised
The Singapore Police Force has revealed that at least $70.8 million are lost from organisations due to business email compromise scams, as it urged employers to educate their staff to avoid getting victimised.
In a media release, the $70.8 million losses occurred from the 149 victims who fell victim to the scams since January 2022, according to the police.
As part of the scam, the perpetrators would impersonate the victims' business partners, employees, or colleagues via spoofed emails or hacked email accounts.
"The spoofed email addresses used by the scammers often include slight misspellings or replacement of letters, which may not be obvious at first glance," said the police.
Through these emails, the scammers would inform their victims of a change in their companies' bank account number and would ask them to transfer payments to another bank accounts.
"In some cases, the victims were asked to assist their supervisor to purchase gift cards and provide the activation keys," reported the police.
It said that the victims would only find out that they have fallen prey to the scam when they clarified it with their supervisor the incident - only to find out that such requests did not come from them.
Read more: MOM issues phone scam warning
Due to the millions lost because of the scam, the police force issued a string of reminders to businesses so they can avoid being victimised by scammers, one of its recommendations include informing and educating employees on the said scam.
"Educate your employees on this scam, especially those that are responsible for making fund transfers, such as those engaged in purchasing or HR payroll," said the police force.
"This is especially important as a single mistake could seriously affect a small or medium sized company."
Aside from this, the police also urged the businesses to:
- Be mindful of any new or sudden changes in payment instructions and bank accounts. Always verify these instructions by calling the email sender. Previously known phone numbers should be used instead of the numbers provided in the fraudulent email.
- Prevent email account from being hacked by using strong passwords, changing them regularly, and enabling Two-Factor Authentication (2FA) where possible. Consider installing free email authentication tools such as Domain-based Message Authentication, Reporting and Conformance, DMARC (dmarc.globalcyberalliance.org), which can help detect fraudulent emails.
- Install anti-virus, anti-spyware/malware, and firewalls on the computer, and keep them updated. Consider installing free Domain Name System (DNS) protection services such as Quad9 (quad9.net) to protect against such attacks.
- Ensure that the Operating System (OS) is up-to-date and update the OS when new patches are made available.
- Never provide the gift card activation key without receipt of payment.
"If your business has been affected by this scam, call your bank immediately to request for recall of funds," the police force added.