Threat actors launching business email compromise (BEC) attacks were found stealing food product shipments, according to a joint advisory released by the FBI, the FDA OCI, and the US Department of Agriculture (USDA).
In usual instances, BEC campaigns involve the compromise of an email account of a targeted company’s employee. These employees are sent fraudulent emails, tricking them into wiring funds to attacker-controlled bank accounts via social engineering tactics.
However, in the most recent BEC campaign observed by researchers, attackers target the food and agriculture sector via malicious emails impersonating legitimate firms to order high volumes of food products, amounting to hundreds of thousands of dollars, without paying them.
Stolen food product shipments could lead to contamination, damaging a company’s reputation.
The authorities’ joint public advisory explained that threat actors repackaging stolen food product shipments for individual sale could lead to contamination and further harm. This issue is due to the criminals disregarding food safety regulations, such as ingredients, allergens, and expiration dates, so they could resell the items or use them for other ill-intended purposes.
Additionally, a company’s reputation could be damaged since the illicit distribution of food product shipments for individual sale is presented under their brand name.
The authorities also explained how the BEC actors executed their recent campaign. First, they create fake email accounts that resemble a targeted legitimate company. They use these malicious accounts to send fraudulent messages to targets.
In some instances, the attackers use the names of real employees, managers, or company logos to make their tactic more convincing to the victim. They also put pressure or a sense of urgency on these emails to compel the victims to react impulsively and bite into their lure.
Because of these recent threats, the authorities advise food and agriculture companies worldwide to be cautious of the risks posed by BEC attacks. Emails sent by suspicious senders must always be double-checked, especially with how they were worded or if there are any spoofing indicators present.
Being able to identify BEC scams is also vital. Thus, companies are urged to educate employees about its threats so that the entire organisation can avoid being a victim of such attacks.
