In recent months, cybercriminals have stolen hundreds of thousands of dollars worth of shipments from US food suppliers by placing fraudulent orders for milk products, the Federal Bureau of Investigations (FBI) and other federal agencies announced.
In a joint Cybersecurity Advisory, the FBI, the Food and Drug Administration Office of Criminal Investigations, and the US Department of Agriculture say that threat actors are using the technique known as business email compromise (BEC).
What it means is that the unnamed criminal groups set up email accounts impersonating top executives of food companies and then convinced their suppliers to ship them truckloads of powdered milk.
In some of the cases, the suppliers only realized they got deceived when they had already shipped well over $100,000 of milk products. This prompted the federal agencies to urge the companies to “consider taking steps to protect their brand and reputation.”
“Criminals may repackage stolen products for individual sale without regard for food safety regulations and sanitation practices, risking contamination or omitting necessary information about ingredients, allergens, or expiration dates. Counterfeit goods of lesser quality can damage a company’s reputation,” the advisory said.
"With this most recent dive into food, it goes to show that scammers have little empathy or concern when it comes to making a dollar,”Tonia Dudley, Chief Information Security Officer at Cofense
It’s the latest example of BEC that has been costing Americans far more than any other type of online crime. According to the FBI’s Internet Crime Complaint Center, victims reported losses of almost $2.4 billion in 2021, based on 19,954 recorded complaints linked to BEC attacks targeting individuals and businesses.
What’s more, according to research by Cofense, a computer security company, BEC has been the number one cybercrime for financial losses for seven consecutive years, resulting in over $400 billion stolen from victims globally, despite the relatively low-level sophistication of the attacks.
BEC is the most commonly used method to steal money, but in cases like this, criminals spoof emails and domains to impersonate employees of legitimate companies to order food products. The victim company fulfills the order and ships the goods, but the crooks do not pay for the products.
Fake email accounts or websites usually closely mimic those of a legitimate company: their names may include extra letters or substitute characters or use a different top-level domain, such as .org instead of .gov.
According to the advisory, threat actors can also use spear phishing to gain access to a legitimate company’s email system and then send fraudulent emails.
US agencies also say that physical goods rather than wire transfers are targeted with BEC tactics lately.
“We have seen criminal actors hit critical infrastructure, as well as churches, small businesses and abuse romance victims for years. With this most recent dive into food, it goes to show that scammers have little empathy or concern when it comes to making a dollar,” Tonia Dudley, Chief Information Security Officer at Cofense, said.
Vigilance is advised. For instance, In August, a US sugar supplier received a request through their web portal for a full truckload of sugar to be purchased on credit.
The request contained grammatical errors and purportedly came from a senior officer of a US non-food company. The sugar supplier noticed an extra letter in the domain name of the address and independently contacted the company to verify the email. Turns out, there was no employee by that name working there – no money was lost.
More from Cybernews:
Subscribe to our newsletter