An All New Trend – Using BEC Scams To Steal Goods

Using BEC Scams To Steal Goods

An All New Trend In Scams

How Scams Work – A SCARS Insight

Criminal Actors Use Business Email Compromise to Steal Large Shipments of Food Products and Ingredients

What?

The Federal Bureau of Investigation (FBI), the Food and Drug Administration Office of Criminal Investigations (FDA OCI), and the US Department of Agriculture (USDA) are releasing this joint Cybersecurity Advisory (CSA) to advise the Food & Agriculture sector about recently observed incidents of criminal actors using business email compromise (BEC) to steal shipments of food products and ingredients valued at hundreds of thousands of dollars.

While BEC is most commonly used to steal money, in cases like this criminals spoof emails and domains to impersonate employees of legitimate companies to order food products. The victim company fulfills the order and ships the goods, but the criminals do not pay for the products. Criminals may repackage stolen products for individual sale without regard for food safety regulations and sanitation practices, risking contamination or omitting necessary information about ingredients, allergens, or expiration dates. Counterfeit goods of lesser quality can damage a company’s reputation.

BEC is one of the most financially damaging online crimes. According to the FBI’s Internet Crime Complaint Center, victims reported losses of almost $2.4  billion in 2021, based on 19,954 recorded complaints linked to BEC attacks targeting individuals and businesses.

What Are Business Email Compromise Scams (BEC)?

Business Email Compromise (BEC) scams are a type of cybercrime that involves fraudsters manipulating business email accounts or impersonating legitimate business contacts in order to trick employees into sending money or sensitive information. BEC scams are often targeted at small and medium-sized businesses, as they may have less robust cybersecurity measures in place than larger organizations.

One common type of BEC scam is the “CEO scam,” where the scammer poses as the CEO or another high-level executive and sends an urgent email requesting a wire transfer or sensitive information. Another common tactic is for the scammer to impersonate a vendor or supplier, requesting payment for goods or services that were not actually provided.

To prevent BEC scams, it is important for businesses to educate their employees about the risks and to establish clear protocols for verifying the authenticity of requests for sensitive information or money. This might include using two-factor authentication for email accounts, as well as verifying requests through phone calls or other means of communication. It is also important to regularly update cybersecurity software and to use strong, unique passwords for all business accounts.

BEC scams can be particularly damaging to small businesses, as they may not have the resources to recover from the financial losses or reputational damage that can result from these types of attacks. By taking proactive measures to protect against BEC scams, businesses can help to safeguard their assets and maintain the trust of their customers.

THREAT OVERVIEW

Tactics, Techniques, and Procedures

Threat actors may target Food & Agriculture businesses using the following common tactics, techniques, and procedures (TTPs) to steal food products and  ingredients:

  • Creating email accounts and websites that closely mimic those of a legitimate company. The accounts and web addresses may include extra letters or words,  substitute characters (such as the number “1” for a lowercase “l”), or use a different top-level domain (such as .org instead of .gov).
  • Gaining access to a legitimate company’s email system to send fraudulent emails. Spear phishing is one of the most prevalent techniques used for initial access to IT networks; personnel may open malicious attachments or links contained in emails from threat actors to execute malicious payloads that allow access to the network.
  • Adding legitimacy to the scam by using the names of actual officers or employees of a legitimate business to communicate with the victim company.
  • Copying company logos to lend authenticity to their fraudulent emails and documents.
  • Deceiving the victim company into extending credit by falsifying a credit application. The scammer provides the actual information of a legitimate company so the credit check results in an approval of the application. The victim company ships the product but never receives payment.

Food & Agriculture Sector BEC Incidents

In recent incidents, criminal actors have targeted physical goods rather than wire transfers using BEC tactics. Companies in all sectors—both buyers and  suppliers—should consider taking steps to protect their brand and reputation from scammers who use their name, image, and likeness to commit fraud and steal products.

Recent BEC incidents targeting the Food & Agriculture sector include:

  • In August 2022, a US sugar supplier received a request through their web portal for a full truckload of sugar to be purchased on credit. The request contained grammatical errors and purportedly came from a senior officer of a US non-food company. The sugar supplier identified the email address had an extra letter in the domain name and independently contacted the actual company to verify there was no employee by that name working there.
  • In August 2022, a food distributor received an email purportedly from a multinational snack food and beverage company requesting two full truckloads of powdered milk. The criminal actor used the real name of the chief financial officer of the snack food company but used an email address containing an extra letter in the domain name. The victim company had to pay their supplier more than $160,000 for the shipment after responding to the fraudulent request.
  • From at least June through August 2022, unknown criminal actors used the identity of a US company to fraudulently attempt to obtain store credit and/or place large purchase orders to procure shipments of powdered milk and other ingredients from multiple suppliers. Industry dairy vendors notified the company that the unknown third party created falsified credit applications, purchase orders, and invoices in their attempts to place large orders for powdered milk. In one instance, the attempted purchase orders totaled nearly $230,000. In another instance, a vendor shipped two truckloads of powdered milk valued at approximately $200,000. The criminal actors sent emails using the names of the victim company’s president and other employees, used the company’s logo, a variation of the company’s name, and an email address that varied only slightly from real company addresses.
  • In April 2022, a US food manufacturer and supplier received a request through their web portal inquiring about pricing for whole milk powder purportedly from another food company. The spoofed food company email used the name of the president and the company’s actual physical address. The ingredient supplier ran a credit check on the company, extended a line of credit, and the first of two shipments – valued at more than $100,000 – was picked up from
    the supplier. The victim company refused to release the second load until payment was received, and realized the email address used by the criminals was a slight variation on the actual company’s domain name. The victim company contacted the legitimate company, who indicated their identity had been used in similar scams with other companies.
  • In February 2022, four different fraudulent companies placed large orders for whole milk powder and non-fat dry milk from a food manufacturer. The orders, valued at almost $600,000, were picked up, and the victim company was unaware something was wrong until they did not receive payment. In all four instances, real employee names and slight variations of legitimate domain names were used.

RECOMMENDATIONS

The FBI, FDA, and USDA urge businesses to use a risk-informed analysis to prepare for, mitigate, and respond to cyber incidents and cyber-enabled crime. Mitigation recommendations to prevent, detect, and respond to BEC-enabled product theft schemes include:

  • Independently verify contact information provided by new vendors or customers through reputable online sources like associations or business directories. Pay close attention to the verified company name and branding. For example, a scammer’s email may reference “Acme Baking, Inc.” instead of “The Acme Baking Company” and contain an off-color or pixelated logo which mimics the original.
  • Carefully check hyperlinks and email addresses for slight variations that can make fraudulent addresses appear legitimate and resemble the names of actual business partners. Look for additional punctuation, changes in the top-level domain (i.e. “.com” vs “.gov”), added prefixes or suffixes, or misspelling of the domain.
  • Regularly conduct web searches for your company name to identify results that return multiple websites that may be used in a scam, i.e. the actual website “abccompanyllc.com” may be spoofed by fake domains like “abccompany.biz”, “abccompany11c.com”, or “abcompanyllc.com”.
  • Look for grammar, spelling errors, and awkward wording in all correspondence, including emails or requests through company web portals.
  • Ensure company policies provide for verification of any changes to existing invoices, bank deposit information, and contact information.
  • Encourage employees to request clarification and report suspicious requests to their management prior to authorizing transactions.
  • Confirm legitimacy of advance payment or credit requests when not previously required.
  • Verify all payment changes, credit requests, and transactions in person or via a known telephone number rather than through a number or link provided in a suspicious email.
  • Be skeptical of unexplained urgency regarding payment requests or orders, especially from new customers.
  • Be wary of last-minute changes in wire instructions, account information, or shipping destinations as well as changes in established communication platforms or email account addresses.
  • Educate employees about BEC scams, including preventative strategies such as how to identify phishing emails and how to respond to suspected compromises. The FBI has BEC resources here.
  • Implement a user training program with phishing exercises to raise and maintain awareness among users about risks of visiting malicious websites or opening malicious attachments. Reinforce the appropriate user response to phishing and spear-phishing emails.

Immediately report any online fraud or BEC activity to the FBI Internet Crime Complaint Center at ic3.gov/Home/BEC

Recommendations for information technology administrators to help prevent BEC-enabled product theft schemes and to prevent the company’s email system from being used in a scam include:

  • Enable anti-phishing and anti-spoofing security features that block malicious emails.
  • Enable multi-factor authentication for all email accounts.
  • Prohibit automatic forwarding of email to external addresses.
  • Frequently monitor the company email exchange server for changes in configuration and custom rules for specific accounts.
  • Add an email banner to messages coming from outside your organization.
  • Prohibit legacy email protocols, such as POP, IMAP, and SMTP1, that can be used to circumvent multi-factor authentication.
  • Ensure changes to mailbox login and settings are logged and retained for at least 90 days.
  • Enable alerts for suspicious activity, such as foreign logins.
  • Configure Sender Policy Framework, DomainKeys Identified Mail, and Domain-based Message Authentication Reporting and Conformance to prevent spoofing and validate email.
  • Disable legacy account authentication.

The Implications!

While scammers & cybercriminals have been prolific in stealing money, this represents a whole new game with huge imacts on businesses and consumers worldwide.

While normally we talk about relationship scams, a BEC scam is a form of a relationship scam – a relationship between a business and a customer. We also are presenting this to keep all of our readers informed about the different kinds of scams.

But there is another reason, and that is that individual victims also work for companies that may become affected by these scams and are often completely ignorance about them. Scam victims can learn to play a new role in their workplace and help others to become more aware of How and Why scams happen!

-/ 30 /-

What do you think about this?
Please share your thoughts in a comment below!

PLEASE SHARE SO OTHERS WILL KNOW

SCARS Publishing Self-Help Recovery Books Available At shop.AgainstScams.org

Scam Victim Self-Help Do-It-Yourself Recovery Books

SCARS Printed Books For Every Scam Survivor From SCARS Publishing

Visit shop.AgainstScams.org

Each is based on our SCARS Team’s 32-plus years of experience.

SCARS Website Visitors receive an Extra 10% Discount
Use Discount Code “romanacescamsnow” at Checkout

Always Report All Scams – Anywhere In The World To:

Go to reporting.AgainstScams.org to learn how

U.S. FTC at https://reportfraud.ftc.gov/#/?orgcode=SCARS and SCARS at www.Anyscams.com
Visit reporting.AgainstScams.org to learn more!

Legal Disclaimer:

The content provided on this platform regarding psychological topics is intended solely for educational and entertainment purposes. The publisher makes no representations or warranties regarding the accuracy or completeness of the information presented. The content is designed to raise awareness about various psychological subjects, and readers are strongly encouraged to conduct their own research and verify information independently.

The information presented does not constitute professional advice, diagnosis, or treatment of any psychological disorder or disease. It is not a substitute for professional medical or mental health advice, diagnosis, or treatment. Readers are advised to seek the guidance of a licensed medical professional for any questions or concerns related to their mental health.

The publisher disclaims any responsibility for actions taken or not taken based on the content provided. The treatment of psychological issues is a serious matter, and readers should consult with qualified professionals to address their specific circumstances. The content on this platform is not intended to create, and receipt of it does not constitute, a therapist-client relationship.

Interpretation and Definitions

Definitions

For the purposes of this Disclaimer:

  • Company (referred to as either “the Company”, “We”, “Us” or “Our” in this Disclaimer) refers to Society of Citizens Against Relationship Scams Inc. (registered d.b.a. “SCARS”,) 9561 Fountainbleau Blvd., Suit 602, Miami FL 33172.
  • Service refers to the Website.
  • You means the individual accessing this website, or the company, or other legal entity on behalf of which such individual is accessing or using the Service, as applicable.
  • Website refers to RomanceScamsNOW.com, accessible from https://romancescamsnow.com

Website Disclaimer

The information contained on this website is for general information purposes only.

The Company assumes no responsibility for errors or omissions in the contents of the Service.

In no event shall the Company be liable for any special, direct, indirect, consequential, or incidental damages or any damages whatsoever, whether in an action of contract, negligence or other tort, arising out of or in connection with the use of the Service or the contents of the Service. The Company reserves the right to make additions, deletions, or modifications to the contents on the Service at any time without prior notice.

The Company does not warrant this website in any way.

External Links Disclaimer

This website may contain links to external websites that are not provided or maintained by or in any way affiliated with the Company.

Please note that the Company does not guarantee the accuracy, relevance, timeliness, or completeness of any information on these external websites.

Errors and Omissions Disclaimer

The information given by SCARS is for general guidance on matters of interest only. Even if the Company takes every precaution to ensure that the content of this website is both current and accurate, errors can occur. Plus, given the changing nature of laws, rules, and regulations, there may be delays, omissions, or inaccuracies in the information contained on this website.

SCARS is not responsible for any errors or omissions, or for the results obtained from the use of this information.

Fair Use Disclaimer

SCARS may use copyrighted material that has not always been specifically authorized by the copyright owner. The Company is making such material available for criticism, comment, news reporting, teaching, scholarship, or research.

The Company believes this constitutes a “fair use” of any such copyrighted material as provided for in section 107 of the United States Copyright law.

If You wish to use copyrighted material from this website for your own purposes that go beyond fair use, You must obtain permission from the copyright owner.

Views Expressed Disclaimer

The Service may contain views and opinions which are those of the authors and do not necessarily reflect the official policy or position of any other author, agency, organization, employer, or company, including SCARS.

Comments published by users are their sole responsibility and the users will take full responsibility, liability, and blame for any libel or litigation that results from something written in or as a direct result of something written in a comment. The Company is not liable for any comment published by users and reserves the right to delete any comment for any reason whatsoever.

No Responsibility Disclaimer

The information on the Service is provided with the understanding that the Company is not herein engaged in rendering legal, accounting, tax, medical or mental health, or other professional advice and services. As such, it should not be used as a substitute for consultation with professional accounting, tax, legal, medical or mental health, or other competent advisers.

In no event shall the Company, its team, board of directors, volunteers, or its suppliers be liable for any special, incidental, indirect, or consequential damages whatsoever arising out of or in connection with your access or use or inability to access or use the Service.

“Use at Your Own Risk” Disclaimer

All information on this website is provided “as is”, with no guarantee of completeness, accuracy, timeliness or of the results obtained from the use of this information, and without warranty of any kind, express or implied, including, but not limited to warranties of performance, merchantability, and fitness for a particular purpose.

SCARS will not be liable to You or anyone else for any decision made or action taken in reliance on the information given by the Service or for any consequential, special, or similar damages, even if advised of the possibility of such damages.

Contact Us

If you have any questions about this Disclaimer, You can contact Us:

  • By email: contact@AgainstScams.org

PLEASE NOTE: Psychology Clarification

The following specific modalities within the practice of psychology are restricted to psychologists appropriately trained in the use of such modalities:

  • Diagnosis: The diagnosis of mental, emotional, or brain disorders and related behaviors.
  • Psychoanalysis: Psychoanalysis is a type of therapy that focuses on helping individuals to understand and resolve unconscious conflicts.
  • Hypnosis: Hypnosis is a state of trance in which individuals are more susceptible to suggestion. It can be used to treat a variety of conditions, including anxiety, depression, and pain.
  • Biofeedback: Biofeedback is a type of therapy that teaches individuals to control their bodily functions, such as heart rate and blood pressure. It can be used to treat a variety of conditions, including stress, anxiety, and pain.
  • Behavioral analysis: Behavioral analysis is a type of therapy that focuses on changing individuals’ behaviors. It is often used to treat conditions such as autism and ADHD.
    Neuropsychology: Neuropsychology is a type of psychology that focuses on the relationship between the brain and behavior. It is often used to assess and treat cognitive impairments caused by brain injuries or diseases.

SCARS and the members of the SCARS Team do not engage in any of the above modalities in relationship to scam victims. SCARS is not a mental healthcare provider and recognizes the importance of professionalism and separation between its work and that of the licensed practice of psychology.

SCARS is an educational provider of generalized self-help information that individuals can use for their own benefit to achieve their own goals related to emotional trauma. SCARS recommends that all scam victims see professional counselors or therapists to help them determine the suitability of any specific information or practices that may help them.

SCARS cannot diagnose or treat any individuals, nor can it state the effectiveness of any educational information that it may provide, regardless of its experience in interacting with traumatized scam victims over time. All information that SCARS provides is purely for general educational purposes to help scam victims become aware of and better understand the topics and to be able to dialog with their counselors or therapists.

It is important that all readers understand these distinctions and that they apply the information that SCARS may publish at their own risk, and should do so only after consulting a licensed psychologist or mental healthcare provider.

SCARS IS A DIGITAL PUBLISHER AND DOES NOT OFFER HEALTH OR MEDICAL ADVICE, LEGAL ADVICE, FINANCIAL ADVICE, OR SERVICES THAT SCARS IS NOT LICENSED OR REGISTERED TO PERFORM.

IF YOU’RE FACING A MEDICAL EMERGENCY, CALL YOUR LOCAL EMERGENCY SERVICES IMMEDIATELY, OR VISIT THE NEAREST EMERGENCY ROOM OR URGENT CARE CENTER. YOU SHOULD CONSULT YOUR HEALTHCARE PROVIDER BEFORE FOLLOWING ANY MEDICALLY RELATED INFORMATION PRESENTED ON OUR PAGES.

ALWAYS CONSULT A LICENSED ATTORNEY FOR ANY ADVICE REGARDING LEGAL MATTERS.

A LICENSED FINANCIAL OR TAX PROFESSIONAL SHOULD BE CONSULTED BEFORE ACTING ON ANY INFORMATION RELATING TO YOUR PERSONAL FINANCES OR TAX RELATED ISSUES AND INFORMATION.

SCARS IS NOT A PRIVATE INVESTIGATOR – WE DO NOT PROVIDE INVESTIGATIVE SERVICES FOR INDIVIDUALS OR BUSINESSES. ANY INVESTIGATIONS THAT SCARS MAY PERFORM IS NOT A SERVICE PROVIDED TO THIRD-PARTIES. INFORMATION REPORTED TO SCARS MAY BE FORWARDED TO LAW ENFORCEMENT AS SCARS SEE FIT AND APPROPRIATE.

This content and other material contained on the website, apps, newsletter, and products (“Content”), is general in nature and for informational purposes only and does not constitute medical, legal, or financial advice; the Content is not intended to be a substitute for licensed or regulated professional advice. Always consult your doctor or other qualified healthcare provider, lawyer, financial, or tax professional with any questions you may have regarding the educational information contained herein. SCARS makes no guarantees about the efficacy of information described on or in SCARS’ Content. The information contained is subject to change and is not intended to cover all possible situations or effects. SCARS does not recommend or endorse any specific professional or care provider, product, service, or other information that may be mentioned in SCARS’ websites, apps, and Content unless explicitly identified as such.

The disclaimers herein are provided on this page for ease of reference. These disclaimers supplement and are a part of SCARS’ website’s Terms of Use. 

All original content is Copyright © 1991 – 2023 Society of Citizens Against Relationship Scams Inc. (Registered D.B.A SCARS) All Rights Reserved Worldwide & Webwide. Third-party copyrights acknowledge.

U.S. State of Florida Registration Nonprofit (Not for Profit) #N20000011978 [SCARS DBA Registered #G20000137918] – Learn more at www.AgainstScams.org

View the claimed and or registered indicia, service marks, and trademarks of Society of Citizens Against Relationship Scams Inc., All Rights Reserved Worldwide

Contact the law firm for the Society of Citizens Against Relationship Scams Incorporated by email at legal@AgainstScams.org

Share This Information - Choose Your Social Media!

Leave A Comment

Your comments help the SCARS Institute better understand all scam victim/survivor experiences and improve our services and processes. Thank you


Thank you for your comment. You may receive an email to follow up. We never share your data with marketers.