Local businesses have been conned out of more than $5 million after being targeted by an e-mail scam, the Bermuda Police Service warned tonight.

Detective Superintendent Sean Field-Lament, of the Crime Division, said police received three reports of “significant cyber-enabled fraud incidents” from local companies in the past ten days.

He added: “Two frauds resulted in the loss of $1.3 million and $4 million in separate incidents, and the third attempt at a different business was discovered before funds were actually transferred.”

Mr Field-Lament said: “I wish to raise awareness of the Bermuda business community in regards to an emerging cyber threat named ‘Business E-mail Compromise’, also called ‘CEO fraud’.”

He added: “The BPS would encourage all companies to review their business processes to guard against this type of cybercrime.”

According to police, organised crime groups use publicly available contact information to collect e-mail data of company staff.

Fraudsters then send an e-mail impersonating the executive to the accounts department employee, requesting “an urgent overseas payment to be made”.

Police said the United States Federal Bureau of Investigation reported in 2016 that BEC fraud had increased by 1,300 per cent, with a combined loss of more than $3 billion.

The BPS shared recommendations by the FBI to avoid free web-based e-mail accounts and consider extra IT and financial security procedures, including a two-step verification process.

It added: “Be careful what is posted to social media and company websites, especially job duties/descriptions, hierarchal information, and out-of-office details.

“Be suspicious of requests for secrecy or pressure to take action quickly.”

The BPS also recommended using other communication channels to verify transactions, reporting and deleting spam e-mail, using the “forward” option instead of “reply”, and creating “intrusion detection system rules that flag e-mails with extensions that are similar to company e-mail”.

For more information, see the full press release under “Related Media”.

Information is also available on the United States Department of Justice website at https://www.justice.gov/criminal-ccips/ccips-documents-and-reports under the “Topical White Papers” publication entitled Best Practices for Victim Response and Reporting of Cyber Incidents.