How hackers stole $2.5M USD from Puerto Rico government via a simple phishing email

Cybercriminals not always have to use complex software tools or sophisticated fraud campaigns to trick victims, sometimes just a few data and sending some emails is enough. According to network security specialists, Puerto Rico’s government lost about $2.5 million USD after a public employee fell victim of a phishing scam.

Rubén Rivera, chief financial officer of the Puerto Rico Industrial Development Company, mentioned at a press conference that threat actors tricked an official into forcing them to make a bank transfer to a fraudulent account. The incident has already been reported to the authorities.

Rivera mentions that this government agency made the money transfer last January 17, in response to an email informing about an alleged change in a bank account related to the payment of remittances. On the other hand, Manuel Laboy, the agency’s chief executive, mentions that his network security team detected the fraud until a few days ago; the report has even reached the Federal Bureau of Investigation (FBI) officials.

In conclusion, Laboy mentioned that internal investigation is already underway, as the government of Puerto Rico intends to audit the agency’s network security and determine if there were any omissions in the agency that facilitated the work of the hackers. The defrauded agency’s managers declined to comment on additional details about the phishing incident, such as the position of the official targeted by the attack or the internal impact of the fraud. In addition, the Government of Puerto Rico expects the federal agency to track the fraudulent account and recover the money.

According to the International Institute of Cyber Security (IICS), phishing campaigns remain one of the main attack variants employed by hackers thanks to their low cost and effectiveness. The FBI recently released its annual crime report on the Internet, which mentions that the agency received nearly 500,000 cybercrime complaints during 2019. Of the total complaints, more than 100 thousand are related to phishing attacks/scams and other variants of email fraud.