A new public service announcement focuses on a specific form of BEC attack using little more than a spoofed domain and common vendor payment practices to steal hardware, supplies and more.
When I talk about BEC attacks, it’s usually a digital fraud type of attack where legitimate funds being paid to a vendor are diverted to an attacker-controlled bank account by means of the attacker using a spoofed domain or via email compromise.
But a new type of BEC is being highlighted in the FBI’s latest Public Service Announcement where the gambit is to use the combination of a spoofed domain, fraudulent W-9 forms and fake credit references to fool suppliers into providing NET30 and NET60 payment terms. Victim vendors include those providing construction materials, agricultural supplies, computer hardware and solar energy products.
With payment terms in place, attackers can place multiple orders and then evaporate into the wind when it comes time to pay.
The FBI recommends that organizations put additional validation steps in place when new customers are set up that include verifying the domain belongs to the claimed vendor, and directly calling the company’s main number to verify the employee.
These kinds of steps and more are taught as part of a proper Security Awareness Training program designed to help users identify suspicious and malicious emails quickly before they have an ability to do the organization harm.