Puerto Rico’s government said Friday that it suspended three employees as federal agents investigate an online scam that attempted to steal more than $4 million from the U.S. territory.
Manuel Laboy, executive director of Puerto Rico’s Industrial Development Company, said rigorous procedures were not followed when the agency received an email alleging a change in banking accounts that prompted someone to transfer more than $2.6 million to a fraudulent account in the U.S. mainland last month.
“We do not take this lightly, and there are consequences,” he said.
Laboy declined to share the names and positions of those suspended, saying only that it was one employee from his agency and two from Puerto Rico’s Commerce and Export Company, which sent $63,000 as part of the scam. He added that the FBI has been able to freeze the money sent, which involves public pension funds.
“This situation did not affect and will not affect pension payments to retirees,” he said.
The scam also targeted Puerto Rico’s Tourism Company, which sent $1.5 million, police have said.
José Ayala, director of the fraud unit with the police department’s bank robbery division, said the scam began when someone hacked into the computer of a finance worker at Puerto Rico’s Employment Retirement System in December and sent emails to government agencies. He said government officials realized what had happened when someone at the retirement agency asked why they had not yet received the funds, only to be told they had already been sent.
Ayala said the FBI is investigating how the computer was hacked.
José Quiñones, president of Obsidis Consortia, a nonprofit cybersecurity organization in Puerto Rico, said those types of attacks are common and can be prevented to a certain point.
“No system is 100% safe,” he said, adding that training employees on cyberattacks and keeping software up to date is key.
“This is a well-coordinated attack,” he said. “Where the government failed greatly was in the procedures, not the technology.”
