Fraudsters are posing as procurement agents from real companies and placing fake orders for expensive equipment such as satellite phones, marine GPS devices, high-performance computers, laptops, network switches, etc.
Proofpoint threat researchers warn about a widespread scam tricking companies into sending expensive equipment to scammers who leverage stolen identities and common Net financing options, which let businesses buy goods now and pay later, typically within 15-90 days.
This fraud type is known as a net RFQ (Request for Quote) scam.
“These actors use a network of shipping forwarding services, standalone warehouses, and individual money mules to enable their crimes,” the researchers said in a report.
Fake order inquiries are among the top five most frequently observed social engineering tactics targeting companies.
Fraudsters reach out asking for quotes for various products or services. Later, they use the received quotes to make very convincing lures. They can send malware, phishing links, attempt additional business email compromise, and social engineering fraud.
The researchers themselves posed as suppliers and identified “numerous activity clusters” conducting the fraud.
How does the scam typically work?
First, fraudsters pose as procurement agents for real companies. They use stolen or publicly available information, such as Employer Identification Numbers (EINs), Data Universal Numbering System (DUNS) numbers, addresses, and stolen identities of real employees, Proofpoint explains.
“They create convincing-looking email signatures, sometimes even replicating corporate branding,” the report reads.
Cybercriminals typically place highly specific orders and target a wide range of companies. In one provided example, fraudsters impersonated a university and requested a quote for network equipment, including dozens of Ubiquiti UniFi 6 Pro Access points, hundreds of MIKROTIK SFP modules, and others.
Scammers use both free email accounts and lookalike domains to appear legitimate and increase their chances. They often specify items that are in high demand in rapidly developing countries.
“Items most frequently observed are Fluke brand testing equipment, various brands of hard drives, surveillance cameras, WiFi equipment, and all manner of medical devices,” the report claims.
Once they get a response and quotes, the fraudsters will send all the required information to process the net financing request, including the legal business name, EIN, and DUNS numbers, as well as supporting documents such as articles of incorporation and a business license.
“The scammers are usually keen to get the shipment started as soon as possible,” Proofpoint researchers noted.
Multiple scammers asked for partial shipments or offered to truncate orders to speed up approval and deliveries.
The fraudsters avoid providing the shipping address immediately and typically hold off until they know the goods are going to be shipped. This may be due to operational security concerns or the need to arrange for a mule or intermediary to take delivery at a residential address.
“The most frequently used companies appear to be shipping forwarding services that specialize in sending goods to West African countries like Nigeria and Ghana,” the researchers found.
“These businesses likely have no knowledge of the illegal nature of the cargo they are shipping. They are likely just convenient for the threat actors.”
The threat actors have also been observed renting 10’x15’ and 15’x20’ warehouse spaces on a month-to-month basis in a variety of locations across the US.
Interactions with the scammers helped Proofpoint’s team to successfully take down 19 of the scammers' domains. In some cases, fraudsters quickly spun up new domains to resume conversations.
Some of the domain names used included novartispharmaceuticalscorp[.]com, hbfullercompany[.]net, magnetek-inc[.]com, americaninstituteresearch[.]org, abec-electricinc[.]com and others.
The researchers also helped to identify and stop some fraudulent deliveries in progress.
Companies are advised to be cautious of urgent financing requests and to diligently verify email addresses to prevent falling victim to fraud.
“Be wary of Net financing requests that impress a heightened sense of urgency,” researchers suggest.
“Search the company name online; does the domain match the sender's domain? Is the email legitimate? Phoning the business directly from a phone number listed on the legitimate business website can help validate whether something is authentic, or if it’s a scam.”
Your email address will not be published. Required fields are markedmarked