The Federal Bureau of Investigation (FBI) has recently issued a warning to vendors in the United States following an increase in a form of business email compromise attack that attempts to fraudulently obtain high-value goods. Business email compromise (BEC) is one of the most financially damaging forms of cybercrime. According to the FBI, its Internet Crime Complaint Center (IC3) received 21,832 complaints about BEC attacks in 2021, involving losses of more than$2.7 billion.
Business email compromise attacks typically involve impersonating a legitimate business via email and tricking the victim into making fraudulent wire transfers or sending sensitive data. These attacks often start with phishing emails to gain access to corporate email accounts, which are then used to send fraudulent requests for wire transfers. The latest warning was issued following an increase in attacks that seek commercially available goods rather than fraudulent transfers, including construction materials, agricultural supplies, computer technology hardware, and solar energy products.
The threat actors impersonate the email domains of legitimate U.S. companies and use spoofed email domain addresses and the display names of current or former employees and request bulk purchases of goods. Since the requests come from known sources of business, the transactions are often fulfilled. The threat actors are often granted Net-30 or Net-60 terms, which means payment for the goods does not need to be made immediately, which allows the goods to be obtained and moved before the scam is discovered, which is typically when attempts are made to collect payment 30 or 60 days later. These terms are typically only offered after verification checks, but the attackers supply fake W-9 forms and references to obtain the terms. Once the payment terms have been obtained, the threat actors often submit multiple purchase requests.
As with other forms of business email compromise, the key to protecting against these attacks is to verify the authenticity of any email by calling the main phone line of the business, and never to rely on email as email accounts may have been compromised. These scams often use similar domains to the genuine domain used by a business, such as hyphenated versions of variants of the legitimate domain. Checks should therefore be performed to make sure the domain is the official one used by a business.
The FBI encourages all victims of BEC attacks to report the scams immediately to IC3.