Threat actors are currently using BEC (Business Email Compromise) attacks to steal large food shipments and ingredients from suppliers and distributors around the country according to a recent FBI advisory. And the attacks appear to have been going on since at least the beginning of last year and have so far cost several organizations hundreds of thousands of dollars in losses.
Business Email Compromise is a type of sophisticated email cybercrime where an attacker targets a business to defraud the company. The email appears to come from a known source making a legitimate request; however the email is impersonating a legitimate employee or supplier, or uses a compromised account to trick victims into sharing sensitive data or to wire money.
It is important to note that BEC is one of the most financially damaging online crimes. According to the FBI’s Internet Crime Complaint Center, victims reported losses of almost $2.4 billion in 2021, based on 19,954 recorded complaints linked to BEC attacks targeting individuals and businesses.
It’s concerning to see these BEC attacks, which are a serious threat to organizations of all sizes, and particularly concerning to see them used to steal food shipments and ingredients from suppliers and distributors. We’re seeing BEC as a top cyber threat impacting businesses today and it’s the most effective way to perpetrate financial crime. Stealing food shipments is just another deviation.
These attacks rely on social engineering tactics to trick individuals into transferring funds or providing sensitive information to the attackers. Unfortunately for organizations, the threats can be hard to detect because they can elicit an emotional response or style that seems familiar, or they can come from internal sources from previously compromised accounts.
According to the FBI report, the attackers are using spoof emails and domains to impersonate employees of legitimate companies to order food products. The victim company fulfills the order and ships the goods, but the criminals do not pay for the products. Criminals may repackage stolen products for individual sale without regard for food safety regulations and sanitation practices, risking contamination or omitting necessary information about ingredients, allergens, or expiration dates. Counterfeit goods of lesser quality can damage a company’s reputation.
We know that attackers use a variety of social engineering tactics, such as posing as executives or other high-level employees, to trick individuals into transferring funds or providing sensitive information. In some cases, the attackers may also use malware or other cyber tools to gain unauthorized access to a company’s system and steal sensitive information.
To combat these social engineering types of BEC attacks, organizations need to be vigilant and implement strong security measures to protect against them. This can include employee education on how to identify and report suspicious emails, implementation of two-factor authentication for email accounts, and regular financial transaction reviews to detect any unusual activity. In addition, organizations should consider implementing strict controls on financial transactions, such as the requirement of multiple approvals or the use of secure methods of communication when requesting or approving financial transfers.
We have a range of solutions that can help companies protect against BEC attacks, including these five categories:
- Fake Invoices: Companies with international vendors are often the target of these attacks, where cybercriminals impersonate vendors requesting fund transfers for payments to an account owned by cybercriminals.
- CEO Fraud: When a cybercriminal poses as the CEO or executive of an organization and asks employees to transfer money or send gift cards.
- Account Takeover: When an employee’s account has been hacked and used to request payments using email contacts and sent from the legitimate email address. Then payments are sent to the cybercriminal’s bank accounts instead of the actual vendor.
- Attorney Impersonation: Cybercriminals impersonating a lawyer asking for fraudulent requests to gather confidential information.
- Data Exfiltration: HR or Accounts Payable Employees are targeted to obtain personally identifiable information (PII) or tax statements of employees and executives to use in future attacks.
By implementing SlashNext modern cloud email security, you’ll stop sophisticated email attacks like BEC as well as threats other security solutions miss. For more information check out our cloud email security page.