CEO scammers are now 'shipmentlifting' physical goods

Business email compromise (a.k.a., CEO fraud) attacks are a highly targeted form of phishing where scammers impersonate a C-level executive or a critical supplier by spoofing websites, hijacking emails, faking social media profiles, leveraging deepfake video and other tactics, to make their identities appear more believable and trustworthy. They then instruct victims to carry out unauthorized wire transfers, purchase gift cards, update billing and banking information or other common financial transaction. BEC scams are probably one of the most profitable, low-tech cybercrimes. Global businesses lost a whopping $43 billion to BEC between 2016 and 2021. Some estimate BEC is 64 times costlier than ransomware attacks.

BEC attacks now steal large food shipments

In a recent evolution of BEC tactics profiled in an FBI joint cybersecurity advisory, bad actors are using BEC techniques to snatch food shipments worth hundreds of thousands of dollars. As The Register so aptly put it, “The escalation from shoplifting to shipmentlifting is, if nothing else, black-market capitalism in action.”

How does this scam work?

• Attackers create email accounts and websites that closely resemble or impersonate a trusted company. They do this by adding extra letters or words, substituting characters such as “5” for the letter “S” or replacing the top-level domain such as .org instead of .gov.
• Highly-targeted emails are sent to company employees using the actual names of officers or staff. Some emails contain malicious attachments or links to malicious URLs that execute payloads and allow access to the network.
• Victims believe they are speaking with authentic entities because scammers copy graphics like the company logo, on emails and documents.
• Fraudsters then deceive the victim company into extending credit by falsifying credit applications. Since scammers provide real information of legitimate businesses, credit checks can result in approval of the application. The victim company ships the product but never receives payment.

According to the FBI report, a number of incidents have recently arisen where scammers target physical goods instead of tricking victims to execute wire transfers. In one instance, four fraudulent companies using real employee names placed a $600,000 order for milk powder from a food manufacturer. The orders were picked up and the victim company did not realize something was wrong until they didn’t receive payment.

How can businesses mitigate risks of BEC attacks that steal physical goods?

Regardless of whether a BEC attack targets physical goods or money, the underlying guidance remains the same, which is to stay alert and don’t trust anything at face value. Below are some best practices businesses can follow to mitigate the risks associated with BEC attacks:

• Make employees aware of BEC and CEO-fraud scams and update them regularly about the latest schemes and tactics.
• Implement a training program using phishing simulations and table-top exercises to teach users how to identify phishing emails and encourage the reporting of suspicious content or behavior.
• Educate users about the risks of visiting malicious websites or opening malicious attachments. Ask them to pay close attention to URLs and company branding, and keep an eye out for hyperlinks and email addresses that have slight variations or domain misspellings. Look for poor grammar, spelling mistakes and awkward wordings in all correspondence, including emails and via company web portals.

• Ensure your company policies and procedures mandate a verification process every time there is a change or update to invoices, financial information or key contact information.
• Always verify the legitimacy of advance payments, credit requests or any out-of-context requests, preferably in person or via a known contact.
• Be extremely wary of situations where there is a sudden, unexplained urgency of payment, order or shipment, especially from new customers.
• Be cautious of last-minute changes in wire transfer instructions, bank or invoice information, shipping destinations as well as changes in established communication platforms or email account addresses.
• Carry out due diligence on new vendors and independently verify contact information through reputable online sources and business directories.
• Regularly conduct web searches for your company to identify duplicate or imposter websites. Think like an attacker and run open-source intelligence tools (OSINT) on your organization to check for vulnerabilities, research social media and monitor the dark web for any leaks or credentials stolen from your company.

Because BEC attacks most often exploit human frailties (like gullibility, impatience, impulsiveness, etc.), and are seldom detected by technical cybersecurity controls, it’s extremely important that organizations invest in building a security culture that includes a healthy dose of skepticism. Train staff to become the first and last line of defense to thwart scams proactively.

If your organization encounters a fraud or BEC activity, immediately report it to the FBI’s Internet Crime Complaint Center at ic3.gov/Home/BEC.

Stu Sjouwerman is the founder and CEO of KnowBe4, [NASDAQ: KNBE] developer of security awareness training and simulated phishing platforms, with over 54,000 customers and more than 25 million users. He was co-founder of Sunbelt Software, the anti-malware software company acquired in 2010. He is the author of four books, including “Cyberheist: The Biggest Financial Threat Facing American Businesses.”

Related:

• Are you aware of these social engineering tactics?
• 3 reasons why humans are the strongest defense against phishing attacks
• 5 factors contributing to company cyber risks
• Empowering policyholders to mitigate their own cyber risk
• New tools for managing cybersecurity
• Cyber insurance in 2022: A year for collaboration
• Insurers must brace for catastrophic cyber risk