FBI: Business email compromise tactics used to defraud U.S. vendors

FBI: Business email compromise tactics used to defraud U.S. vendors

The Federal Bureau of Investigation is warning companies in the U.S. of threat actors using tactics similar to business email compromise that allow less technical actors to steal various goods from vendors.

Typical business email compromise (BEC) attacks focus on stealing money by tricking the victim into diverting funds to the fraudster’s account.

In 2021, the losses associated with BEC schemes reached almost $2.4 billion in the U.S. alone. The figure is based only on the complaints received by the FBI that year, close to 20,000.

In the type of fraud that the FBI observed the threat actor is employing false acquisition schemes to obtain various products from vendors across the country.

Skilled fraudsters

In an alert on Friday, the FBI notes that criminal actors are impersonating the email domains of U.S.-based companies to initiate bulk purchases.

The fraudsters are diligent enough to use spoofed emails with names of real employees, current or former, of the businesses they impersonate.

“Thus, victimized vendors assume they are conducting legitimate business transactions fulfilling the purchase orders for distribution,” the agency explains.

According to the FBI, among the commercially available goods targeted in this type of fraud are construction materials, agricultural supplies, computer technology hardware, and solar energy products.

While the technical skills required to spoof an email address are very low, it appears that the actors are skilled fraudsters knowledgeable in business payments and how to hide the cheating.

The FBI says that the criminal actors would also delay the discovery of the swindle by applying for credit (Net-30 and Net-60 terms) from the seller based on fake references and counterfeit W-9 forms that include income information.

After being granted a 30 or 60-day credit repayment term, the fraudsters can start additional purchase orders without having to pay in advance.

The FBI recommends vendors check the source of an email before agreeing to a transaction. They can pull the buyer’s contact information from a reliable source (e.g. company’s website, social media, or online databases) and call them directly to inquire about the purchase intent.


  • sun-devil99 Photo sun-devil99 – 3 days ago

    Another safe guard too is not allowing a "new customer' credit terms on their first orders. I am surprised (though not sure why) 'social media' would be considered a reliable verification source. Perhaps because of the current state of mess with Twitter 'verification status' at the moment.


Related posts

Slack’s private GitHub code repositories stolen over holidays

Sarah Henriquez

7 Stages of Application Testing: How to Automate for Continuous Security

Sarah Henriquez

Hackers stealing GitHub accounts using fake CircleCI notifications

Sarah Henriquez

Leave a Comment