Police take just 2 days to recover $40M stolen in business email scam

Two days is all it took for Interpol to recover more than $40 million worth of stolen funds in a recent business email compromise (BEC) heist, the international cop shop said this week.

Interpol was called in after an unidentified Singaporean commodity biz filed a police report on July 23 claiming it had been scammed out of $42.3 million four days earlier. 

The company only became aware of the bamboozling when a supplier, the intended recipient of the money transfer, got in touch asking why it hadn't been paid.

Cybercrims capitalized on the knowledge that the victim business worked with the supplier in question and asked that the next payment made to it was sent to a new account based in Timor-Leste. The email address from which that request came was slightly misspelled but was convincing enough to trick the employee into sending the funds anyway.

Timor-Leste is known for being an attractive country for organized crime groups (OCGs) given its proximity to both Southeast Asia and the South Pacific. The smuggling of drugs and other illegal produce is usually the crime of choice in this corner of the world, but money laundering and cybercrime is also fairly pervasive.

The country tabled a draft cybercrime bill in 2021 but it has still yet to make any substantial moves toward becoming law. Its vague wording has also caught the attention of digital privacy advocates about it potentially threatening freedom of expression and freedom of the press.

Regardless, the country's local police force assisted their Singaporean and Interpol counterparts, locating and intercepting $39 million from the scammers' bank account. Seven arrests were also made following the intervention, which in turn led to the discovery of more than $2 million in additional funds.

The Singaporean commodity company still hasn't had its stolen funds sent back to it yet, but "steps are being taken" to complete the process.

"Speed is crucial to successfully intercepting the proceeds of online scams, with police, financial intelligence units, and banks cooperating across multiple jurisdictions in a race against time," said Isaac Oginni, director of Interpol's Financial Crime and Anti-Corruption Center.

• Google gamed into advertising a malicious version of Authenticator
• 'LockBit of phishing' EvilProxy used in more than a million attacks every month
• Nigerian faces up to 102 years in the slammer for $1.5M phishing scam
• Money-grubbing crooks abuse OAuth – and baffling absence of MFA – to do financial crimes

"The cooperation between authorities in Singapore and Timor Leste in this case was exemplary and demonstrates how quick action through Interpol can help recover funds taken from the fraud victims and identify the perpetrators."

BEC scamming is a highly lucrative business and is more costly to US victims than ransomware, according to a report from the feds earlier this year.

In 2023 alone, more than 21,000 complaints relating to BEC were filed with the FBI, which incurred adjusted losses exceeding $2.9 billion. 

For comparison, the same report said 2,825 ransomware complaints were made with adjusted losses topping $59 million. It's a large discrepancy in monetary losses, however, it should be noted that ransom payments are often made without informing law enforcement, and these losses may not account for downtime, recovery costs, and other finances associated with a ransomware attack. ®