Almost $6.4 million was lost in business email compromise scams from 2016 to 2022.
This was revealed by the Fiji Financial Intelligence Unit (FIU) manager intelligence Esther Sue while speaking before the Standing Committee on Foreign Affairs and Defense in Suva yesterday.
During FIU’s submission on the Budapest Convention, Ms Sue spoke about the business email compromise scam which impacted businesses in Fiji and abroad.
“We’ve seen about 32 incidents, targeting 27 entities and five individuals so more than $6.4m was lost by businesses and individuals during this particular time,” she said.
“We have had maybe one or two instances when there has been a partial return of the funds and that was also because they picked it up quite fast and they asked for a recall of the funds from their bank.”
According to Ms Sue, in normal instances, the cybercriminal was of foreign origin.
“What the cybercriminal does is they bypass internal firewalls of various companies to try and access some type of information. “Sometimes they do this by phishing attacks where they can identify names or personal information to try and find our passwords and so on. “Once they’re able to gain access and sometimes it is through specific emails that have malware, they hack that email account and the individual or entity does not know and they start accessing their emails and start liaising with the individual’s suppliers and stakeholders and so on.” Ms Sue said perpetrators hacking into the account would either purport to be the accountant or CEO and start exchanging emails with clients or suppliers.
“They might create potentially an email address that might be quite similar or sometimes, they get full control over email addresses.
“They will then send a payment instruction to the accountant and normally what they do is they’ll send it in odd hours of the day so it will be 2am or 3am, and they will change the normal format of those emails.”
She said the hackers would advise the people they contacted of changes due to some incident that had occurred with the previous account and ask for funds to be sent urgently.
“They also restrict access of the business to the original and correct email so they don’t know what is happening.
“This is done to businesses, law firms and individuals.
“As soon as the money hits the foreign bank account, it is transferred to other accounts. This is not something that’s just seen in Fiji, it’s happening globally and INTERPOL has had campaigns around business email compromise as well.”
She said when funds moved to a foreign jurisdiction, it moved to another country which made it difficult to trace.
“With remittances as well, once they are following up with the supply it can be two to three weeks at which point the funds have already left that bank account they sent it to and eventually also left that country.”
The top three countries where funds go out to are Hong Kong, the United States of America and Australia.