wheat and grain on dollar bills

BEC scammers go after more than just money

In a joint Cybersecurity Advisory (CSA) the Federal Bureau of Investigation (FBI), the Food and Drug Administration Office of Criminal Investigations (FDA OCI), and the US Department of Agriculture (USDA) recently observed incidents of Business Email Compromise (BEC) with a new twist. In these incidents the threat actors didn’t go for money, instead stealing whole shipments of food products and ingredients valued at hundreds of thousands of dollars.

Business Email Compromise

Up until recently, BEC attacks were almost exclusively targeted at money transfers. Malwarebytes’ own glossary entry for BEC says:

“A business email compromise (BEC) is an attack wherein an employee, who is usually the CFO or someone from the Finance department, is socially engineered into wiring a large sum of money to a third-party account.”

We may have to revise that entry since threat actors are now targeting physical goods as well.

In May 2022 we discussed some numbers published by the FBI. A few highlights:

  • $43 billion were stolen between June 2016 and December 2021. There were 241,206 domestic and international incidents between those two dates.
  • The FBI observed a 65% increase in losses suffered between July 2019 and December 2021, which feels like a significant ramp-up.
  • The overwhelming number of organizations filing victim complaints to the IC3 between October 2013 and December 2021 were based in the US.

This new type of attack will most certainly boost those numbers even more.

Methods

The tactics, techniques, and procedures have stayed very much the same. For the best results, attackers can use every bit of knowledge about the target and the legitimate company they are pretending to be. With this information they can:

  • Deploy email accounts and websites that closely mimic those of a legitimate company.
  • Use spear phishing and other techniques to get access to a legitimate company’s email system and send fraudulent emails from there.
  • Use the names of actual officers or employees of a legitimate business to communicate with the victim company to add extra credibility.
  • Copy company logos to lend authenticity to their fraudulent emails and documents.
  • Deceive the victim company into extending credit by falsifying a credit application. The scammer provides the actual information of a legitimate company so the credit check results in an approval of the application.

In the end, the victim company ships the product but never receives a payment.

Targets

While this type of fraud can happen in many industries, the CSA specifically points out recent events in the food and agriculture sector. In the listed examples, attackers used email addresses that were slightly different from the ones they were mimicking and seem to be predominantly after milk powder. But they also tried stealing a truckload of sugar. During investigations it also became clear that some legitimate companies were impersonated on more than one occasion.

Domain mimicry

There are many ways to mimic a domain so that the unsuspecting receiver of an email or web portal request might miss. To be proactive, you should look for additional punctuation, changes in the top-level domain (i.e. “.com” vs “.gov”), added prefixes or suffixes, and the use of similar characters (i.e. “close” vs “c1ose”) or a minor misspelling of the domain.

Mitigation

The FBI, FDA, and USDA urge businesses to use a risk-informed analysis to deal with this type of crime. Some of the tips they gave are worth repeating:

  • Verify contacts by independents means. Do not trust logos and branding for they can easily be copied.
  • Carefully check hyperlinks and email addresses for slight variations that can make fraudulent addresses appear legitimate and resemble the names of actual business partners.
  • Check for spelling errors, strange wording, and other grammatical abnormalities.
  • Encourage managerial double checks when employees find something suspicious or out of the ordinary.
  • Be skeptical of unexplained urgency or last-minute changes, especially in shipping destination.
  • Educate your employees to raise awareness of BEC, phishing, and other types of fraud.
  • Immediately report any online fraud or BEC activity to the FBI Internet Crime Complaint Center at ic3.gov/Home/BEC.

To avoid being used as a bait company, you can regularly conduct web searches for your company name to identify results that return multiple websites that may be used in a scam.


We don’t just report on threats—we remove them

Cybersecurity risks should never spread beyond a headline. Keep threats off your devices by downloading Malwarebytes today.

ABOUT THE AUTHOR

Pieter Arntz

Malware Intelligence Researcher

Was a Microsoft MVP in consumer security for 12 years running. Can speak four languages. Smells of rich mahogany and leather-bound books.