SAN JUAN, Puerto Rico — An online scam that targeted Puerto Rican agencies attempted to steal more than $4 million, police said Thursday, deepening concerns about the management of local government finances during an economic crisis.
Authorities have frozen at least $2.9 million, said an official who was not authorized to comment on the case and requested anonymity. The government has not said how much money was seized by the hacker.
The scam began when someone hacked into the computer of a finance worker at the island’s Employee Retirement System in December, said José Ayala, director of the fraud unit within the bank robbery division. The hacker then posed as the female employee and sent emails to various government agencies alleging a change in bank accounts, he told The Associated Press.
Two agencies fell victim to the scam in recent months: Puerto Rico’s Industrial Development Company sent $63,000 in December and more than $2.6 million in January, while the island’s Tourism Company sent $1.5 million in January to fraudulent accounts on the U.S. mainland, he said.
Puerto Rico government officials realized what had happened when the finance worker at the Employee Retirement System called the agencies and said she had not received any payments and officials responded they had already sent them.
“That’s when they call us and all hell breaks loose,” Ayala said.
El Nuevo Dia, a Puerto Rico daily newspaper, had reported the $1.5 million payment that the tourism company had made. The other payment became public late Wednesday through a police report.
Ayala said no other government agencies have reported a loss as a result of the scam. He said the FBI is investigating how the computer at the Employee Retirement System got hacked.
On Thursday, legislators demanded a probe as government officials declined to provide further information, citing an ongoing investigation.
“The government of Puerto Rico is in a serious fiscal crisis. It doesn’t have enough money to fulfill its obligations,” said Puerto Rico Rep. Ramón Luis Cruz, who filed legislation seeking an investigation. “It’s truly absurd and unsustainable to have such a shallow and vague explanation.”
Incidents in which hackers spoof or compromise an email account from a legitimate person or company are common in the public and private sector, said Meredith Ward, policy and research director at the National Association of State Chief Information Officers.
“It can be compared to knocking on the door,” she said. “Happens every day, but entry isn’t always gained.”
Around the same time the Puerto Rico incident occurred last month, a school district in Manor, Texas, reported an email phishing scam that resulted in the loss of $2.3 million. Meanwhile, officials in Griffin, Georgia, reported a loss of more than $800,000 last year after receiving an email requesting an account change.
More than 23,700 business email compromises, as such scams are known, were reported on the U.S. mainland last year, with total adjusted losses of more than $1.7 billion, according to the FBI. A special FBI team said it helped recover more than $300 million stolen in that type of scheme last year.
Manuel Laboy, executive director of Puerto Rico’s Industrial Development Company, told the AP that the agency is trying to recover the money.
Tourism spokeswoman Yolanda Rosaly referred questions to the governor, whose office said local and federal authorities were working on the case and that it cannot provide comment until the investigation is complete.
Puerto Rican Rep. Jesús Manuel Ortiz said the lack of information is unacceptable.
“There are a lot of questions that have not been answered,” he said. “The government has to explain what happened.”