The U.S. Federal Bureau of Investigation warns that criminal actors are using business email compromise schemes to facilitate the acquisition of a wide range of commodities.

BEC attacks, an attack method that involves fraud enabled by social engineering, are not new. A report in September found that one-third of all cyberattacks now involve BEC, but typically, such attacks aim to steal money. The FBI warning details that those behind the attacks are now also targeting tangible goods.

According to a March 24 announcement by the FBI, criminal actors are impersonating the email domains of legitimate companies to initiate the bulk purchase of goods from vendors across the U.S. The email messages sent to vendors appear to come from known sources of business, which vendors assume are legitimate business transactions, so they fulfill the purchase orders for distribution.

Randomly buying goods would typically cause a nonpayment alert, but those behind the BEC attacks exploit commercial credit repayment terms such as Net-30 and Net-60, meaning they are not required to pay immediately for goods purchased. The criminals behind the attacks also provide vendors with fake credit references and fraudulent W-9 forms to appear more legitimate.

Companies that have been targeted apparently discover the fraud only after attempts to collect payment are unsuccessful or after contacting the company they believed had initially placed the purchase order, only to be notified that the source of the emails was fraudulent.

The types of tangible goods targeted are also surprisingly specific, with the FBI saying that attacks have targeted construction materials, agricultural supplies, computer technology hardware and solar energy products. The goods tend to have a high value and are presumably easy to sell under the radar.

The FBI is warning all businesses to verify the source of any email order by directly calling a business’s main phone line to confirm the employment status of the email originator. Companies should also ensure that the email domain address is associated with the business it claims to be from and that employees should not click on any links provided in emails.

“The FBI’s warning emphasizes the need for continued vigilance and improved cybersecurity measures, particularly for businesses that regularly transfer large sums of money,” James McQuiggan, security awareness advocate at security awareness training company KnowBe4 Inc., told SiliconANGLE. “With increased awareness of these types of attacks for users responsible for transferring funds, they need to be aware of the tactics used by cybercriminals and learn to verify the authenticity of any request for funds or sensitive information.”

Preventing this type of fraud requires a comprehensive approach involving both technological and human elements, McQuiggan added. “Organizations must implement technical safeguards, such as two-factor authentication and encryption while prioritizing employee education and training to increase awareness of the tactics used by cybercriminals,” he said.

Photo: Mayland GovPics/Flickr