The Federal Bureau of Investigation is warning businesses in the United States against threat actors who use tactics similar to business email compromise that allow less technical actors to steal various assets from vendors.
Typical business email compromise (BEC) attacks focus on stealing money by tricking the victim into diverting funds to the fraudster’s account.
In 2021, losses associated with BEC plans reached nearly $2.4 billion in the United States alone. The figure is based solely on complaints received by the FBI that year, nearly 20,000.
In the type of fraud observed by the FBI, the threat actor employs fake acquisition schemes to obtain various products from vendors across the country.
In a Friday alert, the FBI notes that criminal actors are impersonating US-based corporate email domains to initiate group purchases.
Fraudsters are diligent enough to use spoofed emails with the names of real employees, current or former, of the companies they are impersonating.
“Thus, victimized sellers assume they are conducting legitimate business transactions by fulfilling purchase orders for distribution,” said the the agency explains.
According to the FBI, among the commercially available goods targeted by this type of fraud are building materials, agricultural supplies, computer equipment and solar energy products.
Although the technical skills required to spoof an email address are very low, it appears that the actors are skilled fraudsters well versed in business payments and how to conceal cheating.
The FBI claims that criminal actors would also delay discovery of the scam by seeking credit (Net-30 and Net-60 terms) from the seller based on fake credentials and counterfeits. W-9 Forms that include income information.
After being granted a 30 or 60 day credit refund term, fraudsters can initiate additional purchase orders without having to pay upfront.
The FBI recommends that vendors verify the source of an email before accepting a transaction. They can pull the buyer’s contact information from a trusted source (e.g. company website, social media, or online databases) and call them directly to inquire about intent. of purchase.