New BEC Tactics Enable Fake Asset Purchases

Written by

Corporate sellers of IT, agricultural and other goods should beware of business email compromise (BEC) scammers trying to get hold of their assets without paying, the FBI has warned.

These attacks begin in the same way as many traditional BEC threats: fraudsters impersonate the email domains of legitimate companies and use the display names of current or former employees, to make their scams seem more realistic.

Read more on BEC scams: BEC Attacks Surge 81% in 2022.

However, instead of sending fake invoices or money transfer requests, they attempt to ‘purchase’ high-value goods such as construction materials, agricultural supplies, IT hardware and solar energy products.

The key to helping them get away without paying is their use of fake credit references and fraudulent W-9 forms to request the use of credit repayment terms known as Net-30 and Net-60. If a vendor accedes to their use, the criminals will be able to make a purchase without needing to pay any money up front.

“Victimized vendors ultimately discover the fraud after attempts to collect payment are unsuccessful or after contacting the company they believed had initially placed the purchase order, only to be notified that the source of the emails was fraudulent,” the FBI warned.

The FBI urged companies not to fall for this new type of BEC by:

  • Directly calling to confirm the identity and employment status of the email sender, rather than calling any number provided on the bottom of a scam email
  • Ensuring the email domain associated with a sending company is the right one
  • Not clicking on any links provided in emails, but instead typing in URLs directly

As scammers continue to find new ways to monetize attacks, some tried-and-tested BEC methods remain popular. Researchers last week revealed an audacious $36m attempt to persuade a company to pay one of its ‘partners,’ whom threat actors were impersonating.

BEC was the second-highest grossing cybercrime type of 2022, generating over $2.7bn for cyber-criminals last year, according to the FBI.

What’s hot on Infosecurity Magazine?