The FBI today updated a warning issued last month: a Nigerian-based criminal group using e-mail account spoofing, phishing and a variety of social engineering attacks is amping up attacks that defraud retailers of everything from laptops and routers to industrial equipment.
The FBI said more than 85 companies and universities nationwide whose identities were used to perpetrate the scheme. Approximately 400 actual or attempted incidents have targeted some 250 vendors, and nearly $5 million has been lost so far.
The FBI investigators are calling the scam purchase order fraud and said the perpetrators are extremely skillful.
“Through online and telephone social engineering techniques, the fraudsters trick retailers into believing they are from legitimate businesses and academic institutions and want to order merchandise. The retailers believe they are filling requests for established customers, but the goods end up being shipped elsewhere—often to the unsuspecting at-home Internet users, who are then duped into re-shipping the merchandise to Nigeria,” the FBI said.
+More on Network World: World’s craziest Halloween coffins+
The scam has several variations, but basically it works like this:
- The criminals set up fake websites with domain names almost identical to those of real businesses or universities. They do the same for e-mail accounts and also use telephone spoofing techniques to make calls appear to be from the right area codes.
- Next, the fraudsters—posing as school or business officials—contact a retailer’s customer service center and use social engineering tactics to gather information about the organization’s purchasing account.
- The criminals then contact the target business and request a quote for products. They use forged documents, complete with letterhead and sometimes even the name of the organization’s actual product manager. They request that the shipments be made on a 30-day credit—and since the real institution often has good credit, vendors usually agree.
- The criminals provide a U.S. shipping address that might be a warehouse, self-storage facility, or the residence of a victim of an online romance or work-from-home scam (see sidebar). Those at-home victims are directed to re-ship the merchandise to Nigeria and are provided with shipping labels to make the job easy.
- The vendor eventually bills the real institution and discovers the fraud. By then, the items have been re-shipped overseas, and the retailer must absorb the financial loss.
The FBI said businesses can avoid becoming victims of purchase order fraud by being aware of several fraud indicators:
- Incorrect domain names on websites, e-mails, and purchase orders. The scammers use nearly identical domain names of legitimate organizations, but in the case of a university, for example, if the URL does not end in .edu, it is likely fraudulent.
- The shipping address on a purchase order is not the same as the business location. Likewise, if the delivery address is a residence or self-storage facility, it should raise red flags.
- Poorly written e-mail correspondence that contains grammatical errors, suggesting that the message was not written by a fluent English speaker.
- Phone numbers not associated with the company or university, and numbers that are not answered by a live person.
- Orders for unusually large quantities of merchandise, with a request to ship priority or overnight.
Although the cyber criminals are practiced at deception, there are ways to spot the fraud, according to a statement from FBI Special Agent Paula Ebersole: “The most important thing is to independently verify shipping addresses,” she said, “no matter how legitimate a website or e-mail looks.”
Check out these other hot stories: