Trustwave and Cybereason Merge to Form Global MDR Powerhouse for Unparalleled Cybersecurity Value. Learn More

Request a Demo

Trustwave and Cybereason Merge to Form Global MDR Powerhouse for Unparalleled Cybersecurity Value. Learn More

Request a Demo
Services
Managed Detection & Response

Eliminate active threats with 24/7 threat detection, investigation, and response.

Co-Managed SOC (SIEM)

Maximize your SIEM investment, stop alert fatigue, and enhance your team with hybrid security operations support.

Advisory & Diagnostics

Advance your cybersecurity program and get expert guidance where you need it most.

Penetration Testing

Test your physical locations and IT infrastructure to shore up weaknesses before exploitation.

Database Security

Prevent unauthorized access and exceed compliance requirements.

Email Security

Stop email threats others miss and secure your organization against the #1 ransomware attack vector.

Digital Forensics & Incident Response

Prepare for the inevitable with 24/7 global breach response in-region and available on-site.

Firewall & Technology Management

Mitigate risk of a cyberattack with 24/7 incident and health monitoring and the latest threat intelligence.

View All Trustwave Services
Solutions
BY INDUSTRY
BY REGULATION
BY TOPIC
Microsoft Security
Unlock the full power of Microsoft Security
Offensive Security
Solutions to maximize your security ROI
Rapidly Secure New Environments
Security for rapid response situations
Securing the Cloud
Safely navigate and stay protected
Securing the IoT Landscape
Test, monitor and secure network objects
Why Trustwave
About Us
We reduce cyber risk and fortify organizations
Awards and Accolades
Recognition by analysts and media outlets
Trustwave SpiderLabs Team
Global researchers, ethical hackers, and responders
Trustwave Fusion Security Operations Platform
Unprecedented security visibility and control
Trustwave Security Colony
Access to cybersecurity threat protection resources
Partners
Technology Alliance Partners
Key alliances who align and support our ecosystem of security offerings
Trustwave PartnerOne Program
Join forces with Trustwave to protect against the most advance cybersecurity threats
Register
Login
Resources
BLOGS
UPCOMING
MEDIA & ASSETS
NOTICES
HELP

BEC Attackers Switch Tactics Using Phishing Emails to Steal Merchandise

3 Minute Read

Cybercriminals who use Business Email Compromise (BEC) attacks are switching up their tactics, with some groups now targeting actual merchandise instead of money in their phishing attacks.

Trustwave’s email security solution MailMarshal is aware of and investigating this new methodology. MailMarshal is capable of defending an organization against BEC attacks.

This Federal Bureau of Investigation (FBI), the Food and Drug Administration Office of Criminal Investigations (FDA OCI), and the U.S. Department of Agriculture (USDA) issued a special joint cybersecurity  on Dec. 16, 2022, detailing recent incidents where threat actors stole large shipments of food, produce, and ingredients.

BEC is one of the most financially damaging online crimes. According to the FBI’s Internet Crime Complaint Center, victims losses of almost $2.4 billion in 2021, based on 19,954 recorded complaints linked to BEC attacks targeting individuals and businesses. However, the vast majority of these incidents saw the criminals attempting to simply convince a target to send them money via a wire transfer using a fake contract or invoice.

The joint cybersecurity advisory included several examples of attempted and completed thefts, mostly involving dairy products and, in one case, a large amount of sugar. However, the agencies gave no reason why the attackers singled out this particular product nor where the stolen goods were shipped.

The attacks took place from February to August 2022. In each case, the target company received a fraudulent email, or an order placed through an online purchasing portal. The BEC actors continue to use their standard tactics that have unfortunately worked so well with their prior fraudulent efforts. These include:

  • Creating email accounts and websites that closely mimic those of a legitimate company.
  • Gaining access to a legitimate company’s email system to send fraudulent emails. Spear phishing is one of the most prevalent techniques used for initial access to IT networks; personnel may open malicious attachments or links contained in emails from threat actors to execute malicious payloads that allow access to the network.
  • Adding legitimacy to the scam by using the names of actual officers or employees of a legitimate business to communicate with the victim company.
  • Copying company logos to lend authenticity to their fraudulent emails and documents.
  • Deceiving the victim company into extending credit by falsifying a credit application. The scammer provides the factual information of a legitimate company, so the credit check results in the application being approved. The victim company ships the product but never receives payment.

Two successful attacks discussed in the advisory resulted in the victims losing in excess of several hundred thousand dollars.

In April 2022, a U.S. food manufacturer and supplier received a request through its web portal inquiring about pricing for whole milk powder purportedly from another food company. The attackers spoofed a legitimate food company using a version of its email configuration and the name of the company’s actual president and the company’s real physical address. The ingredient supplier ran a credit check on the company, which came up acceptable as it is a real company and extended a line of credit, and the first of two shipments – valued at more than $100,000 – was picked up from the “supplier.”

Luckily, the victim company refused to release the second load until payment was received, and only then realized the email address used by the criminals was a slight variation on the actual company’s domain name. As a result, the victim contacted the legitimate company, which confirmed that attackers have previously used their identity in similar scams.

In a separate incident in February 2022, four fraudulent companies placed large orders for whole milk powder and non-fat dry milk from a food manufacturer. The orders, valued at almost $600,000, were picked up, and the victim company was unaware something was wrong until it did not receive payment. In all four instances, the threat actors used real employee names and slight variations of legitimate domain names.

The advisory noted that one BEC was foiled due to the fact that the target company used proper email security procedures.

In August 2022, a U.S. sugar supplier received a request through its web portal for an entire truckload of sugar to be purchased on credit. The request contained grammatical errors, which the victim noted, and purportedly came from a senior officer of a U.S. non-food company. The sugar supplier identified that the email address had an extra letter in the domain name and independently contacted the company to verify there was no employee by that name working there.

19431_picture1ff

Trustwave SpiderLabs recommends a combination of technology and employee training that all companies should implement to ensure emails are legitimate.

  • Deploying an email security gateway - on-premises or in the cloud with multiple layers of technology, including anti-spam, anti-malware, and flexible policy-based content filtering capabilities
  • Locking down inbound email traffic content as much as possible. Carefully consider employing a strict inbound email policy
  • Quarantine or flag all executable files, including Java, scripts such as .js and .vbs, and all unusual file attachments
  • Create exceptions or alternative mechanisms for handling legitimate inbound sources of these files
  • Blocking or flagging macros in Microsoft documents
  • Blocking or flagging password-protected archive files and blocking odd or unusual archive types, such as .ace, .img, .iso
  • Keeping client software such as Microsoft 365 and Adobe Reader fully patched and promptly up to date. Many email attacks succeed because of unpatched client software
  • Ensuring potentially malicious or phishing links in emails can be checked, either with the email gateway or a web; gateway, or both

Deploying anti-spoofing technologies on your domains at the email gateway and deploying techniques to detect domain misspellings to detect phishing and BEC attacks. Also, ensure there are robust processes in place for approving financial payments via email

  • Educating users – inform the rank and file up to the C-suite on the nature of today’s email attacks
  • Conducting mock phishing exercises against your staff to show employees that phishing attacks are a real threat of which they need to be aware

ABOUT TRUSTWAVE

Trustwave is a globally recognized cybersecurity leader that reduces cyber risk and fortifies organizations against disruptive and damaging cyber threats. Our comprehensive offensive and defensive cybersecurity portfolio detects what others cannot, responds with greater speed and effectiveness, optimizes client investment, and improves security resilience. Learn more about us.

Emerging Threats

Latest Intelligence

Top Database Security Tools for Enhanced Vulnerability Assessment and Compliance
Beyond Compliance: Building a Resilient Security Strategy with the ISM and Essential Eight
Trustwave and Cybereason Join Forces to Create a Leading Global MDR Provider, Offering Unmatched Cybersecurity Value

Discover how our specialists can tailor a security program to fit the needs of
your organization.

Request a Demo