On two occasions in 2018, the Virgin Islands Water and Power Authority (WAPA) was the victim of a Business Email Compromise (BEC) — an instance where a fictitious email appears authentic. These incidents resulted in payments totaling $2.17 million being authorized and sent to an apparent legitimate vendor. The FBI is currently investigating this crime.
A Business Email Compromise is a type of scam targeting companies that conduct wire transfers. Corporate or publicly available email accounts of employees that conduct financial transactions or are involved with wire transfer payments are either spoofed or compromised through key loggers or phishing attacks to carry out fraudulent fund transfers.
Since the incidents, WAPA has provided overall cybersecurity training for its staff as well as training on recognizing phishing emails that can lead to such BEC scams, and it has revised its financial control procedures. “The training is recurring, and we use controlled phishing emails to test our employees’ ability to determine authentic from bogus emails,” said Executive Director Lawrence J. Kupfer.
“While we can say very little until the federal investigation into the incidents is complete, I thought it prudent, in light of the Senate discussion this week, to reassure the community that while WAPA was victimized by the BEC incidents, we have taken all advisable security measures to ensure an incident of this nature does not recur. Equally as important, WAPA’s networks, customer information, computer systems or its overall digital infrastructure were not compromised,” Kupfer said.