The news that the government of Puerto Rico has lost over $2.6m in a phishing scam should be treated as a vital reminder to businesses about how easy such emails are to fall for, according to cybersecurity experts.

The Puerto Rico government confirmed that it had fallen for the scam on Thursday. It saw the Industrial Development Company, a government agency, transfer the money to a fraudulent account after receiving what looked like a payment reminder by email.

The scam, which was reported to the police on Wednesday, was described by the agency’s executive director Manuel Laboy as “extremely serious” in comments made to The Associated Press.

He added that the Puerto Rico government wanted the phishing scam to be “investigated until the last consequences”.

Puerto Rico phishing scam: A hard lesson for businesses

According to cybersecurity experts, the fact that the Puerto Rico government fell for such a costly phishing scam highlights the fact that can be extremely hard to spot a fake email.

Does artificial intelligence need more regulation?

View Results

Loading ... Loading ...

“Contrary to popular belief, phishing emails are not always easy to identify. They do not always contain obvious typos, broken English or clearly come from unknown senders,” said Peter Goldstein, CTO and co-founder of Valimail.

“Cybercriminals have become adept at crafting emails that are difficult to discern from legit messages that recipients receive daily, and even though many organisations invest in employee email security training to prevent these kinds of attacks, attackers continue to find success often through impersonation. In fact, 90% of email attacks use impersonation, and phishing attacks that impersonate senders have increased in frequency by 25%.”

This is, according to Matt Aldridge, principal solutions architect at Webroot, a lesson that needs to be learned by both governments and businesses.

“This attack should come as a wake-up call, as the humble phishing attack continues to catch people out. These threats are becoming more sophisticated and targeted, and it only takes one click to put an entire network at risk, or one misled employee or insecure process to lose huge amounts of money as we have seen in this case,” he said.

“Governments hold a huge amount of sensitive data and lessons need to be learned from this.”

Protecting against phishing scams

Given such phishing emails are so hard to identify, organisations need to look at how their wider security can help fight against them, rather than simply relying on employees to spot every rogue email.

“To prevent these attacks and avoid the same fate as the Puerto Rican government, and so many other victims, organisations must focus on validating and authenticating sender identity,” said Goldstein.

3 Things That Will Change the World Today

“By taking steps like properly enforcing DMARC and employing advanced anti-phishing solutions that confirm senders’ identities, organisations can add a crucial defensive layer to their inboxes.”

However, effective security training also remains vital.

“To mitigate future attacks, ongoing, tailored security awareness training should be implemented for staff from day one, ensuring that they are vigilant in scrutinising all the types of emails and other communications they receive,” said Aldridge.

“This should be underpinned by cybersecurity technology such as email filtering, anti-virus protection, and strong password policies, along with carefully designed and orchestrated processes to catch fraud attempts such as this.”


Read more: Account takeover attacks: The digital scam taking phishing’s crown