Business Email Compromise Tactics Used to Facilitate the Acquisition of Commodities and Defrauding Vendors

The FBI warns the public of criminal actors using Business Email Compromise (BEC) schemes to facilitate the acquisition of a wide range of commodities. BEC is one of the most financially damaging online crimes. It exploits the fact that so many of us rely on email to conduct business—both personal and professional.

In many BEC scams, criminals send an email message that appears to come from a known source making a legitimate request. You can find more information on BEC from PSA I-050422-PSA or the FBI BEC website

Methodology

Criminal actors impersonate the email domains of legitimate U.S.-based companies using spoofed email domain addresses and the display names of current or former company employees, as well as fictitious names to initiate the bulk purchase of goods from vendors across the U.S. As a result, email messages sent to vendors appear to come from known sources of business. Thus, victimized vendors assume they are conducting legitimate business transactions fulfilling the purchase orders for distribution.

To further delay the discovery of the fraud, criminal actors apply and are often granted credit repayment terms known as Net-30 and Net-60 terms, providing fake credit references and fraudulent W-9 forms to vendors. The repayment terms allow criminal actors to initiate additional purchase orders without providing upfront payment.

Victimized vendors ultimately discover the fraud after attempts to collect payment are unsuccessful or after contacting the company they believed had initially placed the purchase order, only to be notified that the source of the emails was fraudulent.

Criminal actors continue to target and acquire a variety of commercially available goods, including:

  • Construction Materials
  • Agricultural Supplies
  • Computer Technology Hardware
  • Solar Energy Products

Tips to Protect Yourself

To reduce the chances of becoming a victim, individuals/vendors are advised to verify the source of the email by:

  • Directly calling a business’s main phone line to confirm the identity and employment status of the email originator, rather than calling numbers provided via email contact
  • Ensuring the email domain address is associated with the business it claims to be from
  • Do not click on any links provided in emails, instead, type in the URL/domain of the source directly

Examples of spoofed email domains:

Actual Email Domain Spoofed Email Domain
@company.com @co-pany.com
@company-usa.com
@companygroup.com
@companygroupinc.com
@companyengineering.com
@companiesengineering.com

Victim Reporting

If you believe your company has been the victim of a BEC, please file a report with the FBI Internet Crime Complaint Center at www.ic3.gov.

Be sure to include:

  • Subject names, phone numbers, and email addresses.
  • Transaction information if available.
  • Any domains utilized in the fraud.

For security purposes, no attachments or files can be provided.