Multiple federal agencies have issued a joint cybersecurity advisory (CSA) warning the food and agriculture sector about incidents of criminal actors using business email compromise (BEC) tactics to steal food shipments.
The advisory was issued on Dec. 15 by the FBI, the Food and Drug Administration Office of Criminal Investigations (FDA OCI), and the U.S. Department of Agriculture (USDA). In a BEC attack, an employee receives an email that appears official but, in reality, was sent by an impostor attempting to trick the entity for information or money.
The advisory focuses on criminals who use BEC to impersonate employees of legitimate companies to order food products. “The victim company fulfills the order and ships the goods, but the criminals do not pay for the products,” the advisory states.
“Criminals may repackage stolen products for individual sale without regard for food safety regulations and sanitation practices, risking contamination, or omitting necessary information about ingredients, allergens, or expiration dates. Counterfeit goods of lesser quality can damage a company’s reputation.”
The advisory calls BEC one of the “most financially damaging online crimes.” Data from the FBI’s Internet Crime Complaint Center estimates BEC victims to have lost almost $2.4 billion in 2021.
The Crime
Threat actors usually create email accounts and websites that closely resemble a legitimate company. Some even gain access to a company’s email system for sending fraudulent mails.
When communicating with the victim company, criminals make use of actual employee names, thereby strengthening the validity of the scam. Company logos are copied to ensure the authenticity of emails. The criminals then falsify credit applications, and deceive victims into extending credit.
In August 2022, a food distributor supplied two full truckloads of powdered milk in response to a request that seemed to come from a multinational snack and food beverage corporation. It was later found to be fraudulent, with scammers having used an email with an extra letter in the domain name. The victim firm had to cough up $160,000 for the shipment from their supplier.
In February 2022, four fraudulent firms placed large orders for milk products from a food manufacturer valued at $600,000. Only after the orders were picked up did the manufacturer realize they were scammed.
Recommendations and Potential Rise in BEC Scams
The advisory recommended multiple mitigation options, including independently verifying contact information provided by vendors or customers, carefully checking email IDs and hyperlinks for variations, conducting web searches for your company to identify similar domain names that could be used in a scam, and educating employees about BEC scams as well as preventive strategies.
It asked victims of BEC fraud to notify such activity immediately to the FBI Internet Crime Complaint Center. In an interview with Wired, longtime digital scams researcher Crane Hassold pointed out that the number of BEC scams are likely to rise in the future.
The increasing attention on ransomware has made many governments take strict action against such activities, he noted. As such, the return on investment for ransomware attacks for scammers is going to be negatively affected, which could boost BEC attacks.
“Ransomware actors are not going to say, ‘Oh, hey, you got me’ and go away. So it’s possible that you would have this new threat where you have the more sophisticated actors behind ransomware campaigns moving over to the BEC space where all the money is being made,” Hassold said.
Naveen Athrappully is a news reporter covering business and world events at The Epoch Times.
