Email scammers stole more than $150K from defense contractors and a university, FBI says

Written by

Cybercriminals defrauded two defense contractors and a university out of more than $150,000 through email scams last year, the FBI has warned companies.

Scammers obtained fraudulent lines of credit to buy expensive technical equipment in the organizations’ names, the FBI said last week in an industry advisory obtained by CyberScoop. The suspects spoofed email addresses of the target organizations, convincing suppliers to process payments with fake purchase orders and credit documents.

The bureau did not name any organization victimized in the scams, which took place in the first half of 2018.

In one case, someone impersonating an employee of a large university placed two orders for 150 digital multimeters, which are devices that measure electric current, from a U.S. Department of Defense supplier, leading to roughly $80,000 in losses, according to the FBI. Two other cases involved defense contractors getting swindled for a total of $90,000.

The affected contractors were cleared to handle classified DOD information, but it was the companies’ checkbooks, and not their data, that was exposed in the schemes.

The losses could have been avoided had suppliers confirmed the purported buyers’ email domain names or shipping addresses, or if they suspended a shipment until reaching the buyer by phone, the bureau concluded.

Such business email compromise (BEC) scams have grown increasingly clever and broader in scope in recent years, according to researchers. For example, one London-based criminal group has compiled a potential target list of more than 50,000 corporate officials, including those at the world’s biggest banks, according to email security firm Agari.

“Business impersonation fraud is trending because it works,” said Alexander Heid, chief security officer at SecurityScorecard, which builds risk profiles on companies based on publicly accessible information. “With 1,000 target enterprises, if only 1 percent fall for the scam, that is still ten places wiring over large sums of money – and that adds up very fast.”

“The incentive is there, the technology is there, the risk is low compared to traditional forms of crime, and now we are seeing the aftermath in the form of victim stories and law enforcement warnings after years of observed activity,” Heid told CyberScoop.

The FBI warning comes after the Justice Department last month announced that it had busted a crime ring that had defrauded Americans of millions of dollars through an online auction scheme.

To defend against BEC scams, the FBI is telling people to pick up the phone to verify purchase orders, among other steps for securing procurement policies.

“Suppliers should be particularly alert to unknown company representatives submitting quote requests via the supplier’s website, without the purchasers’ subsequent acknowledgment or without validating through any existing corporate relationships,” the bureau warned.

An FBI spokesperson declined to comment on the specifics of the advisory, but provided this statement to CyberScoop: “In furtherance of public-private partnerships, the FBI routinely advises private industry of various cyber threat indicators observed during the course of our investigations. This data is provided in order to help systems administrators guard against the actions of persistent cybercriminals.”