BEC Fraudsters Expand to Snatch Real-World Goods in Commodities Twist

Business email compromise scams are moving beyond just stealing cash, with some threat actors fooling companies into sending goods and materials on credit, and then skipping out on payment.

4 Min Read
Food warehouse with boxes piled high
Source: Michael Doolittle via Alamy Stock Photo

Some cybercriminals are flipping their playbook on business email compromise (BEC) scams and, rather than posing as vendors seeking payment, are now posing as buyers, taking their profits in easily sold commodities.

By adopting the identity of a known company, criminal actors are able to order various goods in bulk, get beneficial terms of credit, and disappear before the manufacturer discovers the fraud, stated the FBI in a recent advisory on the trend. The scheme has become more common in specific sectors, with targets including construction materials, agricultural supplies, computer technology hardware, and solar-energy systems, according to the agency.

This form of fraud also allows attackers to escape the notice of financial institutions, which have become very skilled at tracking currency movement and clawing back funds, says Sourya Biswas, technical director of risk management and governance at NCC Group, a consultancy.

"BEC targeting commodities may have electronic records regarding the ordering, dispatch, and receipt of goods, but not for the last-mile piece where those goods are sold," he says. "Considering the types of commodities targeted — construction materials, computer hardware, etc. — these are typically easy to sell in pieces for cash to multiple buyers without triggering red flags."

This is not the first time that commodity theft has come to light. Last summer, BEC criminal groups targeted food manufacturers, stealing sugar and powdered milk by the truckload. In 2021, fraudsters used similar methods, posing as an electrical contracting company, to have 35 MacBooks worth almost $110,000 delivered to a business address, but switched the destination at the last minute.

Same Tactics, Different Outcome

In its advisory, the FBI noted that the tactics used by the criminal groups mimics those of more traditional BEC scams, with threat actors taking control of, or spoofing, legitimate domains of US companies, researching the proper employees to contact at a vendor, and then emailing requests to the vendor that appear to originate with the legitimate company.

However, commodities-fraud operations are harder to uncover than funds-focused BEC fraud. For instance, the criminal groups will often apply for Net-30 or Net-60 terms for payment by providing fake credit references and fraudulent tax forms to vendors, giving them lead time to fence the goods and disappear before suspicion might arise, the FBI stated in the advisory.

"Victimized vendors assume they are conducting legitimate business transactions fulfilling the purchase orders for distribution," the advisory stated. "The repayment terms allow criminal actors to initiate additional purchase orders without providing upfront payment."

A Significant Evolution for BEC

Commodities scams are decades old, especially with easy-to-resell electronics, says Roger Grimes, data-driven defense evangelist at KnowBe4, a cybersecurity services firm.

"If you know a little industry vernacular and how supply chains work, it's easier to convince the victims of the scam," he says. "It's also harder to trace the resell of those goods once the fraudster has obtained possession of them. But it also isn't every fraudster's first choice of how to get paid, because it significantly cuts down on profit margin."

The difference now is the interest in the gambit by cybercriminals previously carrying out BEC scams focused on fraudulent money transfers. 

The transition to targeting commodities is being driven by necessity in some cases, because BEC fraud is squarely on organizations' radars these days. In its "Internet Crime Report 2022," the FBI noted that its Recovery Asset Team (RAT) has recovered nearly three-quarters (73%) of all funds stolen by BEC groups since 2018. And financial institutions have become better at detecting fraud and cutting off funds more quickly, which has forced attackers to adapt, says Dmitry Bestuzhev, senior director of cyberthreat intelligence at BlackBerry.

"Financial institutions on both sides — sending or receiving funds — have been working to make it harder for the BEC operators," he says, adding that, for attackers, by "focusing on goods purchasing, it's an easier way to escape the monitoring algorithms ... so even if it's a two-step operation, it's still safer in terms of traceability and anti-fraud, prevention algorithms."

In addition, the simplicity of the scam has made the social-engineering aspects more effective. By asking for payment for goods, impersonating someone in authority, and using the language expected of business transactions, attackers are able to fool non-tech-savvy business people, says the NCC Group's Biswas.

Paying attention to advisories, such as the FBI's public service announcement, and building processes that can withstand social-engineering attacks is important, he says.

For instance, employees should be trained to spot obvious red flags. While compromising a legitimate company's email server provides a more convincing identity with which to conduct fraud, most criminal groups just use variants on the company name, such as changing a "company.com" domain to "co-pany.com" or "company-usa.com" domain, for example.

"Cybercriminals are always evolving, and defenders should evolve as well," Biswas says. "Any organization that pays for vendor services or supplies goods and services — that pretty much includes everyone — should always be on the lookout for ... new cybercrime tactics, techniques, and procedures (TTPs)."

About the Author

Robert Lemos, Contributing Writer

Veteran technology journalist of more than 20 years. Former research engineer. Written for more than two dozen publications, including CNET News.com, Dark Reading, MIT's Technology Review, Popular Science, and Wired News. Five awards for journalism, including Best Deadline Journalism (Online) in 2003 for coverage of the Blaster worm. Crunches numbers on various trends using Python and R. Recent reports include analyses of the shortage in cybersecurity workers and annual vulnerability trends.

Keep up with the latest cybersecurity threats, newly discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.

You May Also Like


More Insights