The FBI and Internet Crime Complaint Center (IC3) today issued a warning about a criminal group using e-mail account spoofing, phishing and a variety of social engineering attacks to defraud retailers of everything from laptops and routers to industrial equipment.
The FBI says the scheme usually begins with scamsters posing as school officials approaching retailers with a plan to buy large amounts of merchandise.
+More on Network World: FBI warns businesses “Man-in-the-E-Mail” scam escalating+
The FBI advisory describes how the scam works:
Step 1: A subject, posing as a school official, contacts a retailer’s customer service call center by telephone or e-mail. Using social engineering tactics, the subject attempts to gather additional information about the purchasing account. The subject typically terminates the phone call or e-mail session once sufficient information is gathered to place an order. Subjects also obtain account information from the school’s public website, if available.
Step 2: The subject makes a second contact with the target vendor, again representing himself as a school official and providing the account information obtained from step one. Billing to the school’s line of credit, the subject makes large purchases (such as laptops, routers, hard drives, printer toner, printer ink, medical supplies, and industrial equipment) with some orders totaling more than $200,000.
Step 3: During the purchase, the subject provides the customer service representative with a U.S. shipping address, typically belonging to a victim of a “romance scam” or “work from home” fraud scheme. A subject contacts the online scam victim and directs the individual to re-ship the office supplies to an address in West Africa, typically Nigeria, the United Kingdom, or to a U.S.-based storage or warehouse facility. To facilitate the re-shipment, the individual receives a shipping label prior to receiving the merchandise.
The FBI added that in another variation of the scheme, the subject provides the true shipping address of the school he is purporting to represent. The subject then contacts the school, posing as an employee of the vendor, claiming that the products were shipped to the school in error. The school, believing it is returning the products to their rightful owner, reships the items to a domestic address provided by the subject. Recruited individuals in the U.S. then re-ship the products overseas, the agency stated.
E-mail Account Spoofing Techniques are used by subjects to place orders by establishing false school e-mail accounts, which appear similar to legitimate school e-mail addresses but lack the .edu extension. Below are variations of spoof email addresses:
Once the fraud is discovered, the retailer absorbs the financial losses without recourse to the school.
Check out these other hot stories: