BEC attacks are usually aimed at stealing money or valuable information, but the FBI warns that BEC scammers are increasingly trying to get their hands on physical goods such as construction materials, agricultural supplies, computer technology hardware, and solar energy products.
Supplies in the crosshairs
Such schemes are not without a precendent: during the height of the Covid-19 pandemic, scammers went after PPE and other medical equipment.
In 2022, the FBI also warned of a BEC scheme aiming to steal shipments of food products and ingredients.
This time around, cybercriminals used BEC to obtain a variety of commodities / supplies by defrauding the vendors through spoofed emails and by taking advantage of payment terms.
“Criminal actors impersonate the email domains of legitimate US-based companies using spoofed email domain addresses and the display names of current or former company employees, as well as fictitious names to initiate the bulk purchase of goods from vendors across the US. As a result, email messages sent to vendors appear to come from known sources of business. Thus, victimized vendors assume they are conducting legitimate business transactions fulfilling the purchase orders for distribution,” the FBI explains.
Here are some examples of spoofed email domains:
Criminals can delay detection by exploiting fake credit references and fraudulent W-9 forms to get specific repayment terms (Net-30 and Net-60) that allow them to order more items without an upfront payment.
“Victimized vendors ultimately discover the fraud after attempts to collect payment are unsuccessful or after contacting the company they believed had initially placed the purchase order, only to be notified that the source of the emails was fraudulent,” the FBI further explains.
How can companies protect themselves?
Since most organizations use email to communicate and do business, BEC scams are among the simplest ways for cybercriminals to achieve their goals. They are also one of the most financially destructive online crimes.
To avoid falling prey to such a scam, businesses should always check the legitimacy of email requests, by:
- Calling the main phone line of the business (but not trusting phone numbers provided in the email!)
- Verifying that the email domain address belongs to a legitimate business
- Not opening links provided in the email, instead directly typing the URL or domain to verify the source.
The FBI also urges companies to file a report if they become victim of a BEC attack.