US agencies warn of hackers using BEC tactics to steal large shipments of food products, ingredients

Organizations in the food and agriculture sector have been warned of recently observed incidents of criminal hackers using business email compromise (BEC) to steal shipments of food products and ingredients valued at hundreds of thousands of dollars. On Thursday, U.S. agencies released a joint cybersecurity advisory (CSA) that identifies the emergence of the BEC tactic as ‘one of the most financially damaging’ online crimes.

“While BEC is most commonly used to steal money, in cases like this criminals spoof emails and domains to impersonate employees of legitimate companies to order food products,” the Federal Bureau of Investigation (FBI), the Food and Drug Administration Office of Criminal Investigations (FDA OCI), and the US Department of Agriculture (USDA) wrote in the advisory. “The victim company fulfills the order and ships the goods, but the criminals do not pay for the products.”

The advisory also warned that criminals may repackage stolen products for individual sale without regard for food safety regulations and sanitation practices, risking contamination or omitting necessary information about ingredients, allergens, or expiration dates. Counterfeit goods of lesser quality can damage a company’s reputation, it added.

The agencies called upon organizations to take immediate measures to protect against product theft and BEC schemes. It also suggested training employees on how to identify fraudulent email addresses and domains and implementing user training and phishing exercises to raise awareness about the risks of suspicious links and attachments. The advisory also recommended conducting “web searches for your company name to identify fraudulent websites that may be used to impersonate you in a scam.”

According to the FBI’s Internet Crime Complaint Center, victims reported losses of almost $2.4 billion in 2021, based on 19,954 recorded complaints linked to BEC attacks targeting individuals and businesses.

The U.S. food and agriculture sector is almost entirely under private ownership and is composed of an estimated 2.1 million farms, 935,000 restaurants, and more than 200,000 registered food manufacturing, processing, and storage facilities. The sector accounts for roughly one-fifth of the nation’s economic activity, and has critical dependencies with many sectors, but particularly with water and wastewater systems, transportation systems, energy and chemical sectors. 

The advisory noted that hackers may target food and agriculture businesses to steal food products and ingredients by creating email accounts and websites that closely mimic those of a legitimate company. The accounts and web addresses may include extra letters or words, substitute characters (such as the number ‘1’ for a lowercase ‘l), or use a different top-level domain (such as [dot]org instead of [dot]gov). 

The advisory also warned of “gaining access to a legitimate company’s email system to send fraudulent emails. Spear phishing is one of the most prevalent techniques used for initial access to IT networks; personnel may open malicious attachments or links contained in emails from threat actors to execute malicious payloads that allow access to the network.”

The advisory also warned of adding legitimacy to the scam by using the names of actual officers or employees of a legitimate business to communicate with the victim company. “Copying company logos to lend authenticity to their fraudulent emails and documents. Deceiving the victim company into extending credit by falsifying a credit application. The scammer provides the actual information of a legitimate company so the credit check results in approval of the application. The victim company ships the product but never receives payment,” it added. 

Recent incidents have displayed that criminal hackers have targeted physical goods rather than wire transfers using BEC tactics. Companies in all sectors—both buyers and suppliers—should consider taking steps to protect their brand and reputation from scammers who use their name, image, and likeness to commit fraud and steal products.

The advisory pointed to recent BEC incidents targeting the food and agriculture sector. In August this year, a U.S. sugar supplier received a request through their web portal for a full truckload of sugar to be purchased on credit. The request contained grammatical errors and purportedly came from a senior officer of a US non-food company. The sugar supplier identified the email address had an extra letter in the domain name and independently contacted the actual company to verify there was no employee by that name working there.

In the same month, another food distributor received an email purportedly from a multinational snack food and beverage company requesting two full truckloads of powdered milk. “The criminal actor used the real name of the chief financial officer of the snack food company but used an email address containing an extra letter in the domain name. The victim company had to pay their supplier more than $160,000 for the shipment after responding to the fraudulent request,” the advisory added.

The advisory also said that from at least June through August this year, unknown criminal hackers used the identity of a U.S. company to fraudulently attempt to obtain store credit and/or place large purchase orders to procure shipments of powdered milk and other ingredients from multiple suppliers. “Industry dairy vendors notified the company that the unknown third party created falsified credit applications, purchase orders, and invoices in their attempts to place large orders for powdered milk,” it added. 

In one instance, the attempted purchase orders totaled nearly $230,000, the advisory said. “In another instance, a vendor shipped two truckloads of powdered milk valued at approximately $200,000. The criminal actors sent emails using the names of the victim company’s president and other employees, used the company’s logo, a variation of the company’s name, and an email address that varied only slightly from real company addresses,” it added. 

In April, a U.S. food manufacturer and supplier received a request through their web portal inquiring about pricing for whole milk powder purportedly from another food company. “The spoofed food company email used the name of the president and the company’s actual physical address. The ingredient supplier ran a credit check on the company, extended a line of credit, and the first of two shipments –valued at more than $100,000 –was picked up from the supplier,” the advisory added.

The advisory noted that the victim company refused to release the second load until payment was received, and realized the email address used by the criminals was a slight variation on the actual company’s domain name. The victim company contacted the legitimate company, who indicated their identity had been used in similar scams with other companies. 

In February, four different fraudulent companies placed large orders for whole milk powder and non-fat dry milk from a food manufacturer. The orders, valued at almost $600,000, were picked up, and the victim company was unaware something was wrong until they did not receive payment. In all four instances, real employee names and slight variations of legitimate domain names were used.

The FBI, FDA, and USDA urge businesses to use a risk-informed analysis to prepare for, mitigate, and respond to cyber incidents and cyber-enabled crime. It suggested independently verifying contact information, carefully checking hyperlinks and email addresses, and frequently conducting web searches for the company name to identify results that return multiple websites that may be used in a scam. 

The advisory also recommends ensuring company policies provide for verification of any changes to existing invoices, bank deposit information, and contact information. It calls upon employees to request clarification and report suspicious requests to their management prior to authorizing transactions, confirm the legitimacy of advance payment or credit requests when not previously required, and verify all payment changes, credit requests, and transactions in person or via a known telephone number rather than through a number or link provided in a suspicious email.

It also warned organizations in the food and agriculture sector to be skeptical of unexplained urgency regarding payment requests or orders, especially from new customers. Additionally, it suggests that enterprises be wary of last-minute changes in wire instructions, account information, or shipping destinations, and changes in established communication platforms or email account addresses.

Last month, the U.S. administration released a National Security Memorandum that works on strengthening the security and resilience of the nation’s food and agriculture sector, in response to the possibility of high-consequence and catastrophic incidents. The federal government is set to identify and assess threats, vulnerabilities, and impacts from these high-consequence and catastrophic incidents.

Anna Ribeiro

Industrial Cyber News Editor. Anna Ribeiro is a freelance journalist with over 14 years of experience in the areas of security, data storage, virtualization and IoT.