The Federal Bureau of Investigation (FBI) on Friday warned that cybercriminals are using business email compromise (BEC) tactics to swindle US-based vendors and acquire various commodities without payment.
In BEC scams, cybercriminals usually spoof a trusted contact to dupe unsuspecting victims of money — and access confidential data in some cases. However, the FBI revealed that threat actors are now using BEC schemes to get their hands on various commercially available products, including construction materials, agricultural supplies, computer hardware, and solar energy products.
“This is a new twist on BEC, which has been limited to requests for urgent wire transfers. Digging deeper into business processes to get products or services is a new twist and a testament to the ingenuity of scamsters,” Richard Stiennon, chief research analyst at IT-Harvest, told VPNOverview.
Making Bulk Purchases With Fake Documentation
Cybercriminals reach out to vendors to place orders for bulk purchases of goods using spoofed email addresses with the names of former or current employees of a company, the FBI said. Sometimes, scammers also use completely fictitious names in their emails.
To spoof an email, cybercriminals usually change some letters in the domain address. For example, to spoof @company.com, scammers may use @co-pany.com or @company-usa.com as their address.
The subtle difference is only noticeable with close inspection, so vendors will work to fulfill these fake purchase orders under the impression they’re dealing with a legitimate company.
To further disguise the fraud, cybercriminals “apply and are often granted” Net-30 and Net-60 credit repayment terms, provide illegitimate credit references, and fake W-9 IRS tax forms to vendors, the FBI said. This allows the scammers to make additional purchase orders with no upfront payment and without raising any suspicion.
Vendors only discover this fraud “after attempts to collect payment are unsuccessful or after contacting the company they believed had initially placed the purchase order,” the FBI explained.
BEC scams are a major problem in the US. The FBI received 20,000 BEC complaints in 2021 and recorded about $2.4 billion in losses. Between 2016 and December 2021, the FBI recorded $43 billion in losses due to BEC scams.
How to Protect Your Organization From BEC Scams
The FBI recommends that vendors confirm the source of an email before agreeing to any request. The agency suggests “calling a business’s main phone line to confirm the identity and employment status of the email originator, rather than calling numbers provided via email contact.”
The FBI also recommends inspecting the domain address of emails to ensure they’re from a legitimate source, and avoiding clicking on links in emails, as that may download a malicious payload on your device or lead you to a phishing site.
“There are 104 vendors of email security products. Many of them claim to counter business email compromise. It would be a good idea to layer in such additional defenses into Office 365 and other email platforms,” Stiennon said.
Cybercriminals have targeted every US state and over 150 countries worldwide with BEC scams. Check out our in-depth guide to CEO fraud for more information about how to protect your organization from these malicious schemes.
If you believe your company has fallen victim to BEC fraud, you can file a report with the FBI IC3 complaint center. The complaint should include all subject names, phone numbers, email addresses, domains, and transaction information.
