Typical business email compromise attacks (VEC attack) are focused on stealing money by tricking the victim into redirecting the funds to the attacker’s account. However, some cybercriminals go further and do not steal funds directly. In their attacks, they focus on the goods that the victim company produces or supplies.

The US Federal Bureau of Investigation is alerting US companies to an increase in fraud using tactics very similar to VEC attacks, but with several key differences. In the case of a specific fraudulent campaign that the FBI observed, attackers used false buy-sell schemes to obtain various goods from suppliers throughout the country. The criminals sent fake emails from fake domains that looked like the domains of large American companies in order to initiate bulk purchases.

In their attacks, the attackers took a fairly responsible approach to the choice of the sender’s name and other details in e-mails. For example, letters were sent only on behalf of current or former employees of imitated companies, so that the attack looked more believable and did not raise doubts.

“Affected merchants assume that they are conducting legitimate business transactions by fulfilling normal purchase orders, but in fact they are victims of fraud,” — explains FBI. Employees of the department also noticed that in some cases, the attackers even took out loans issued according to fake information in order to freely receive the goods for one or two months and not think about how to fake the fact of payment.

According to the agency, this type of fraud is aimed at a number of different products. It includes: building materials, agricultural products, computer equipment, etc. Losses associated with such fraudulent schemes reached almost $2.4 billion in 2021 based on 20,000 recorded complaints. And that’s just in the US.

While the technical skills required to forge an email address are very low, it appears that the actors in these malicious campaigns are highly experienced in this area. They are well versed in business payments and various methods of hiding the fact of fraud.

The FBI recommends that major suppliers and other sellers of goods always verify the sender of an email before confirming a transaction. Reliable information about the buyer can always be obtained from a reliable source. For example, a company website, social media, or an online database.

Since attackers most often simply forge letters from large companies, it is easiest for the employee responsible for making a decision on the transaction to call this company directly and clarify all the information of interest. Especially if there are suspicions of fraud by the sender.