Getty Images/iStockphoto
FBI Alerts to BEC Scams Targeting COVID-19 PPE Supply Procurement
Hackers are targeting those attempting to buy personal protective equipment (PPE) and other COVID-19-related medical supplies with business email compromise (BEC) scams, FBI warns.
Cybercriminals are again leveraging the COVID-19 pandemic for financial benefit. The latest FBI alert warns hackers are targeting the government and other healthcare industry buyers attempting to purchase personal protective equipment (PPE) with business email compromise (BEC) scams.
The alert follows an earlier FBI warning that all sectors should expect an increase in BEC schemes tied to the pandemic.
The rapidly emerging fraud campaign is also tied to procurement of medical equipment, such as ventilators, and other equipment and supplies related to the Coronavirus response.
The threat actors have already taken aim at state government agencies, which attempted to purchase medical equipment and instead wire transferred funds to fraudulent actors and sellers ahead of planned receipt of the items. The FBI noted the actors were both foreign and domestic, with one entity claiming they already had a relationship with the victim.
“By the time the purchasing agencies became suspicious of the transactions, much of the funds had been transferred outside the reach of US law enforcement and were unrecoverable,” the FBI wrote. “The current environment, in which demand for PPE and certain medical equipment far outstrips supply, is ripe for fraudulent actors perpetrating advance fee and BEC schemes.”
“In advance fee schemes related to procurement, a victim pre-pays (partially or in full) a purported seller or a broker for a good or service and then receives little or nothing in return,” they added.
According to Barracuda Networks, BEC schemes make up for less than 10 percent of spear-phishing attacks but are three times more successful than traditional phishing attempts. BEC hackers rely heavily on impersonation, mimicking someone from within the organization, a vendor, business partner, or other trusted sender.
The highly targeted attacks are tough to detect as they rarely include malicious attachments or URLs. And by sending emails to just a few recipients, rather than a mass spam campaign, hackers are better able to monitor responses sent from victims, Barracuda researchers explained.
“Hackers want a response from their victim before making a request for a wire transfer or personal information,” the researchers wrote at the time. “Along those lines, an overwhelming majority of business email compromise attacks initially include a very simple message, such as ‘Do you have a minute?’ or ‘I need your help.’”
The latest FBI alert warns there are several ways to indicate that an offer to sell COVID-19 supplies may not be legitimate. For one, the seller or broker initiated the contact, especially when the message comes from a difficult to verify channel or email.
Other signs of scam include a broker being unable to explain the origin of the items or how the vendor was able to have available supplies amid the demand. The scam vendor will also not be able to verify with the product manufacturer that the seller is a legitimate distributer of the product.
Lastly, these BEC scams will have an unexplained urgency to transfer funds or request a last-minute change in wiring instructions.
“If the seller claims to represent an entity with an existing relationship to the buyer, verify claims through a known contact—do not contact the vendor through information provided in an email or phone communication,” the FBI recommended.
“If possible, have a trusted independent party verify the items for sale are physically present and of the promised make, model, and quality, and take delivery immediately upon payment,” they added. “If immediate delivery is impossible, route payments to a domestic escrow account to be released to the seller upon receipt of the promised items.”
Buyers should also verify with the manufacturer or distributer that the seller is legitimate for the items offered for sale. The FB also recommends not re-rerouting payments without independent verification that the directions were sent from an authorized party.
It’s also important verify the email address used to send the emails to ensure the sender’s email address matches who they say they are, especially on mobile or handheld devices.
Healthcare organizations should expect a continued increase in fraud and phishing attempts as the pandemic continues. Researchers and multiple federal agencies have continued to warn hackers are also targeting DNS routers, Virtual Private Networks (VPNs), and other remote platforms, given the rapid increase in remote work.