Milford Entities, a well-known firm that owns and manages luxury properties in New York City, recently became the victim of a sophisticated cybercrime. An employee received a phishing email that appeared to be from the Battery Park City Authority (BPCA), a state entity that handles property taxes and ground-lease payments for the neighborhood. The fraudulent email tricked the company into rerouting a significant quarterly payment, nearly $19 million, to a scammer’s bank account instead of the BPCA’s.
The stolen funds consisted of ground-lease payments and PILOT fees (Payment in Lieu of Taxes) collected from condo owners in Battery Park City.
These fees are essentially property taxes that Milford Entities collects from over 2,000 units it manages and then forwards to the BPCA. The phishing email, a “spoofing” attempt, successfully created a fraudulent bank account at TD Bank in the name of the BPCA, causing the payment to be misdirected.
In a public statement, Milford Entities confirmed it was the victim of a fraud involving the theft of funds through a fraudulent bank account set up in the name of the BPCA. The company specified that the theft affected both properties it directly owns and others it manages. They emphasized that since the incident is part of an ongoing law enforcement investigation, they would not be providing any additional comments on the matter.
The Department of Homeland Security is now leading a multi-agency task force to investigate the fraudulent transfer.
The BPCA confirmed that it did not receive the expected quarterly payment from Milford Entities in early July, which alerted them to the potential theft. Law enforcement officials are working to trace the funds and identify the cybercriminals behind the sophisticated scam.
This incident highlights the serious threat that phishing and other cybercrimes pose to businesses, regardless of their size. A single fraudulent email can lead to massive financial losses and complex legal and operational challenges. This case serves as a critical reminder for companies to implement robust cybersecurity protocols, including employee training on how to identify and avoid phishing attempts, and to verify all financial transactions through multiple channels before processing them.
Reference:
