It happened the evening of Oct. 22, 2020.
An admin staff from a Singaporean IT company transferred S$6,000 to an unknown bank account, under the illusion that he was liaising with the authorised supplier for their company.
The "man-in-the-middle" attack
Known as the Business Email Compromise Scam (BEC), or more colloquially amongst officers – the "man-in-the-middle" attack, the scam involved a very specific modus operandi.
Scammers, typically impersonating CEOs, financial directors, or in this case, suppliers, would "intercept" communications between victims, and request for funds to be transferred to a designated bank account not belonging to either party.
Stephanie Huang, 35, a National Crime Prevention Council (NCPC) anti-scam hotline officer, was the frontline officer who answered the call for help.
Huang said, "I received the call the morning of Oct. 23, 2020 (around 9am). The director [of the company] was very anxious, asking me, 'I have all this information, but what am I supposed to do to recover my money?'"
Using a spoofed email address, scammers had instructed his staff to transfer money to a bank account, controlled by them.
Admin staff had not noticed the incorrect email address at first glance; spoofed email addresses used by scammers often include the slightest of misspellings or replacement of letters.
It was only after the director had noted the new bank account and called the supplier to check, had they realised that something was off.
Added Huang, "I told the director to lodge a police report immediately, while officers from the Anti-Scam Centre (ASC) worked concurrently to trace the monies."
Greg Sim, 31, Senior Investigation Officer and Deputy Officer-in-charge of ASC, said, "It's real-time intervention. The call comes in, sometimes six figures, sometimes S$6,000. We collaborate closely with Stephanie, who acts as the 'contact point', to process the information and act on it meaningfully."
"To mitigate these losses, we need to freeze these accounts fast, if not the money will be gone. Recovery of money boils down to luck and speed."
The full sum of S$6,000 was subsequently recovered the same day the scam was reported.
39 enquiries a day
As the only anti-scam hotline operator situated within ASC, Huang receives, on average, 39 enquiries a day.
Over the whole of last year, she answered over 10,000 enquiries, received through email, phone calls, or live chat.
Huang, a former Community Policing Officer for three years, says that she first joined ASC in August 2019, to "make a direct impact" on other's lives.
It's not an easy job given that callers are often emotionally frustrated and skeptical of having fallen prey, sometimes even blaming her for getting scammed.
One victim, who was retrenched during circuit breaker last year, had called Huang after falling prey to a love scam. While she had initially agreed to follow Huang's advice to validate the scammer's identity, she ended up calling Huang again a few months later, crying and admitting that the guy had broken off communication and she'd lost large sums of money.
Said Huang, "I felt very upset, as I thought I'd spoken to her and she'd realised it was a scam, but that didn't happen. Because it'd been a while since she transferred [the money], I could not help her."
Sim explains that scammers tend to move monies very fast, making chances of recovery lower once time has lapsed or if money has been transferred out of the country.
He adds, "We want the public to understand that scam prevention is also a personal responsibility. If you notice someone who's been using the same account for the past 10 years suddenly request for transferral to a new account, for example, you should do a verification before doing anything."
Highest amount lost in 2020 was S$9.1 million
In 2019, 373 cases of BEC scams were reported to Police, resulting in a total loss of S$43.1 million.
This increased to 422 reported cases in 2020, resulting in a total loss of S$45.6 million. The highest amount lost was S$9.1 million.
To prevent BEC scams, businesses are advised to adopt the following measures:
- Be mindful of any new or sudden changes in payment instructions and bank accounts. Always verify payment instructions by calling the e-mail sender using previously known phone numbers, instead of numbers provided in the fraudulent email.
- If your business has been affected by this scam, call your bank immediately to recall the funds.
- Educate your employees on this scam, especially those that are responsible for making fund transfers, such as purchasing or HR payroll.
- Prevent email compromise by using strong passwords, changing them regularly, and enabling Two-Factor Authentication (2FA) where possible.
- Install anti-virus, anti-spyware/malware, and firewall on your computer, and keep them updated.
To seek scam-related advice, you may call the anti-scam helpline at 1800-722-6688 or go to www.scamalert.sg. Should you have any information on scams, call the Police hotline at 1800-255-0000 or submit information here.
Top image via Unsplash and by Lean Jinghui