Highlights:

  • The FBI claimed that scammers were using email accounts belonging to genuine businesses to order large quantities of goods from vendors all over the country.
  • The FBI is advising all companies to contact a company’s main phone number directly to ascertain the source of any email order and the employment status of the email sender.

The U.S. Federal Bureau of Investigation issues a warning about how criminals are using business email compromise plans to make it easier to buy a variety of commodities.

BEC attacks that use social engineering to facilitate fraud are not brand-new. According to an earlier report, one-third of all cyberattacks now contain BEC, but these attacks usually aim to steal money. The FBI warning specifies that the perpetrators of the attacks are now also focusing on material products.

In a statement released on March 24, the FBI claimed that scammers were using email accounts belonging to genuine businesses to order large quantities of goods from vendors all over the country. The purchase orders are fulfilled by the vendors for distribution because they believe the emails sent to them appear to be from well-known business sources and represent genuine business transactions.

Normally, randomly purchasing goods would result in a nonpayment alert, but those responsible for BEC attacks take advantage of commercial credit repayment conditions like Net-30 and Net-60, which let them postpone payment for purchases. In order to make the attacks seem more genuine, the criminals behind them also give vendors phony W-9 forms and credit references.

Businesses that have been targeted reportedly learn about the fraud only after failed attempts to collect payment or after contacting the business they thought had originally placed the purchase order and learning that the source of the emails was false.

The FBI reports that attacks have targeted solar energy products, agricultural supplies, computer hardware, and construction materials, among other shockingly precise categories of tangible goods. The products typically have a high value and are probably simple to offer covertly.

The FBI is advising all companies to contact the company’s main phone number directly to ascertain the source of any email order and the employment status of the email sender. Additionally, businesses should make sure that the email domain address is related to the organization that it purports to represent, and staff members shouldn’t rely on any links contained in the emails.

James McQuiggan, a security awareness advocate at security awareness training company KnowBe4 Inc., reported, “The FBI’s warning emphasizes the need for continued vigilance and improved cybersecurity measures, particularly for businesses that regularly transfer large sums of money. With increased awareness of these types of attacks for users responsible for transferring funds, they need to be aware of the tactics used by cybercriminals and learn to verify the authenticity of any request for funds or sensitive information.”

It takes a broader effort with both human-intervened and technological elements to mitigate such types of fraudulent activities. “Organizations must implement technical safeguards, such as two-factor authentication and encryption, while prioritizing employee education and training to increase awareness of the tactics used by cybercriminals,” added McQuiggan.