BEC aims at diversion of food.

The Federal Bureau of Investigation (FBI), the Food and Drug Administration Office of Criminal Investigations (FDA OCI), and the US Department of Agriculture (USDA) have issued a joint cybersecurity advisory warning of business email compromise (BEC) attacks designed to steal food shipments.

BEC used to steal physical goods.

Threat actors are impersonating real food and agriculture companies to order hundreds of thousands of dollars worth of food and ingredients:

“While BEC is most commonly used to steal money, in cases like this criminals spoof emails and domains to impersonate employees of legitimate companies to order food products. The victim company fulfills the order and ships the goods, but the criminals do not pay for the products. Criminals may repackage stolen products for individual sale without regard for food safety regulations and sanitation practices, risking contamination or omitting necessary information about ingredients, allergens, or expiration dates. Counterfeit goods of lesser quality can damage a company’s reputation.”

In one incident that occurred in February 2022, scammers posed as four different companies and stole nearly $600,000 worth of whole milk powder and nonfat dry milk from a food manufacturer.

Industry comment: the versatility of BEC.

Tonia Dudley, Chief Information Security Officer at Cofense, offered the following comments:

“According to Cofense research, business email compromise (BEC) has been the number one cybercrime for financial losses for seven consecutive years, resulting in over $400 billion stolen from victims globally, despite the relatively low-level sophistication of the attacks. BEC attacks are often carried out solely via email communication and largely without malware and credential phishing mechanisms like malicious attachments and links. 

“One of the most important things that people need to realize is that the actors behind BEC are involved in multiple types of attacks. We have seen them hit critical infrastructure, as well as churches, small businesses and abuse romance victims for years. With this most recent dive into food, it goes to show that scammers have little empathy or concern when it comes to making a dollar.

“Though no single company can solve BEC, awareness can help mitigate the threat. Organizations must be well prepared to identify potential threats by knowing when it is okay to provide credentials and reporting to your security team if you’ve given your credentials away in error. Additionally, organizations should use secondary security controls or two-factor authentication to verify requests for changes in account information and keep all systems updated.”