The Federal Bureau of Investigation (FBI) has warned private sector companies about scammers posing as construction companies in Business Email Compromise (BEC) attacks targeting organizations across multiple critical infrastructure sectors in the US.
BEC scammers use various tactics (including social engineering and phishing) to compromise or impersonate business email accounts with the ultimate goal of redirecting pending or future payments to bank accounts under their control.
The warning was issued through a TLP: GREEN Private Industry Notification (PIN) sent today to organizations to help cybersecurity professionals defend against these active attacks.
According to the FBI, threat actors exploit construction companies’ ongoing, terminated, or foreclosed business relationships to defraud their public and private sector clients.
The BEC campaign started in March
The incidents are part of a campaign that began in March 2021 and has already resulted in financial losses ranging from hundreds of thousands to millions of dollars.
To successfully carry out these BEC attacks, scammers use information collected through online services about the construction companies they impersonate and the customers they target.
Platforms used to collect valuable data (for example, contact information, bidding data, and project costs) include state and local government budget data portals, as well as subscription-based construction industry data aggregators. .
The information collected by the attackers allows them to personalize emails designed to exploit the business relationship between the victim and the construction contractors.
To make messages more compelling, scammers send emails asking recipients to change direct deposit account and automatic clearinghouse (ACH) information. The new account information points to bank accounts under the control of the scammers.
These emails are sent using domains that spoof legitimate contractor sites and legitimate company logos and graphics to increase the possibility that victims may not know that the messages are fraudulent.
Almost $ 2 billion lost to BEC scams in 2020
In March, the FBI also warned of another series of BEC attacks increasingly targeting US state, local, tribal, and territorial (SLTT) government entities, with losses ranging from $ 10,000 to $ 4 million between November. 2018 and September 2020.
Last month, Microsoft spotted a large-scale BEC campaign targeting more than 120 organizations using domains with typographical errors recorded a few days before the attacks began.
The FBI’s 2020 annual report on cybercrime affecting American victims listed a record number of complaints and financial losses last year.
“The FBI’s Internet Crime Complaint Center (IC3) notes that BEC is a growing and ever-evolving threat as criminal actors become more sophisticated and adapt to current events,” the FBI said.
“There was a 5 percent increase in adjusted losses from 2019 to 2020, with more than $ 1.7 billion of adjusted losses reported to IC3 in 2019 and more than $ 1.8 billion of adjusted losses reported in 2020.”
In other alerts issued last year, the FBI warned of BEC scammers exploiting automatic email forwarding and cloud email services such as Microsoft Office 365 and Google G Suite in their attacks.