A new public service announcement focuses on a specific form of BEC attack using little more than a spoofed domain and common vendor payment practices to steal hardware, supplies and more.
When I talk about BEC attacks, it’s usually a digital fraud type of attack where legitimate funds being paid to a vendor are diverted to an attacker-controlled bank account by means of the attacker using a spoofed domain or via email compromise.
But a new type of BEC is being highlighted in the FBI’s latest Public Service Announcement where the gambit is to use the combination of a spoofed domain, fraudulent W-9 forms and fake credit references to fool suppliers into providing NET30 and NET60 payment terms. Victim vendors include those providing construction materials, agricultural supplies, computer hardware and solar energy products.
With payment terms in place, attackers can place multiple orders and then evaporate into the wind when it comes time to pay.
The FBI recommends that organizations put additional validation steps in place when new customers are set up that include verifying the domain belongs to the claimed vendor, and directly calling the company’s main number to verify the employee.
These kinds of steps and more are taught as part of a proper Security Awareness Training program designed to help users identify suspicious and malicious emails quickly before they have an ability to do the organization harm.
CEO fraud has ruined the careers of many executives and loyal employees, causing over $26 billion in losses. Don’t be the next victim. This manual provides a thorough overview of how executives are compromised, how to prevent such an attack and what to do if you become a victim.
