U.S. agencies are warning organizations in the food and agriculture sector about recently observed incidents of business email compromise designed to steal shipments of food products and ingredients with hefty price tags.
Instead of being used to directly steal money, these new campaigns are designed to spoof emails and domains to impersonate employees of legitimate companies to order food products. The victim company fulfills the order and ships the goods, but the criminals never pay, according to a joint advisory from the FBI, Food and Drug Administration and Department of Agriculture.
Criminals may repackage the stolen products for individual sale and skirt food safety regulations and practices according to the advisory.
The agencies list several recent examples of this kind of activity, including one U.S. sugar supplier that received a request through their web portal for a full truckload of sugar to be purchased on credit. The request contained grammatical errors and came from a senior officer of a non-food company in the U.S. The sugar supplier independently contacted the company to verify that the request was fraudulent.
In that case and others listed, domain names were slightly misspelled or contained an extra letter in an attempt to trick the victim companies.
According to the advisory, these are the tactics, techniques and procedures (TTPs) that food and agriculture organizations should be looking out for:
- Creating email accounts and websites that closely mimic those of a legitimate company. The accounts and web addresses may include extra letters or words, substitute characters (such as the number “1” for a lower case “l”), or use a different top level domain (such as .org instead of .gov).
- Gaining access to a legitimate company’s email system to send fraudulent emails. Spear phishing is one of the most prevalent techniques used for initial access to IT networks; personnel may open malicious attachments or links contained in emails from threat actors to execute malicious payloads that allow access to the network.
- Adding legitimacy to the scam by using the names of actual officers or employees of a legitimate business to communicate with the victim company.
- Copying company logos to lend authenticity to their fraudulent emails and documents.
- Deceiving the victim company into extending credit by falsifying a credit application. The scammer provides the actual information of a legitimate company so the credit check results in an approval of the application. The victim company ships the product but never receives payment.
Read the advisory for more information on these incidents and preventing business email compromise.
If you enjoyed this article and want to receive more valuable industry content like this, click here to sign up for our digital newsletters!