Trustwave SpiderLabs Uncovers Ov3r_Stealer Malware Spread via Phishing and Facebook Advertising. Learn More

Trustwave SpiderLabs Uncovers Ov3r_Stealer Malware Spread via Phishing and Facebook Advertising. Learn More

Managed Detection & Response

Eliminate active threats with 24/7 threat detection, investigation, and response.

Co-Managed SOC (SIEM)

Maximize your SIEM investment, stop alert fatigue, and enhance your team with hybrid security operations support.

Advisory & Diagnostics

Advance your cybersecurity program and get expert guidance where you need it most.

Penetration Testing

Test your physical locations and IT infrastructure to shore up weaknesses before exploitation.

Database Security

Prevent unauthorized access and exceed compliance requirements.

Email Security

Stop email threats others miss and secure your organization against the #1 ransomware attack vector.

Digital Forensics & Incident Response

Prepare for the inevitable with 24/7 global breach response in-region and available on-site.

Firewall & Technology Management

Mitigate risk of a cyberattack with 24/7 incident and health monitoring and the latest threat intelligence.

Microsoft Exchange Server Attacks
Stay protected against emerging threats
Rapidly Secure New Environments
Security for rapid response situations
Securing the Cloud
Safely navigate and stay protected
Securing the IoT Landscape
Test, monitor and secure network objects
Why Trustwave
About Us
Awards and Accolades
Trustwave SpiderLabs Team
Trustwave Fusion Security Operations Platform
Trustwave Security Colony
Technology Alliance Partners
Key alliances who align and support our ecosystem of security offerings
Trustwave PartnerOne Program
Join forces with Trustwave to protect against the most advance cybersecurity threats

BEC Attackers Switch Tactics Using Phishing Emails to Steal Merchandise

Cybercriminals who use Business Email Compromise (BEC) attacks are switching up their tactics, with some groups now targeting actual merchandise instead of money in their phishing attacks.

Trustwave’s email security solution MailMarshal is aware of and investigating this new methodology. MailMarshal is capable of defending an organization against BEC attacks.

This Federal Bureau of Investigation (FBI), the Food and Drug Administration Office of Criminal Investigations (FDA OCI), and the U.S. Department of Agriculture (USDA) issued a special joint cybersecurity  on Dec. 16, 2022, detailing recent incidents where threat actors stole large shipments of food, produce, and ingredients.

BEC is one of the most financially damaging online crimes. According to the FBI’s Internet Crime Complaint Center, victims losses of almost $2.4 billion in 2021, based on 19,954 recorded complaints linked to BEC attacks targeting individuals and businesses. However, the vast majority of these incidents saw the criminals attempting to simply convince a target to send them money via a wire transfer using a fake contract or invoice.

The joint cybersecurity advisory included several examples of attempted and completed thefts, mostly involving dairy products and, in one case, a large amount of sugar. However, the agencies gave no reason why the attackers singled out this particular product nor where the stolen goods were shipped.

The attacks took place from February to August 2022. In each case, the target company received a fraudulent email, or an order placed through an online purchasing portal. The BEC actors continue to use their standard tactics that have unfortunately worked so well with their prior fraudulent efforts. These include:

  • Creating email accounts and websites that closely mimic those of a legitimate company.
  • Gaining access to a legitimate company’s email system to send fraudulent emails. Spear phishing is one of the most prevalent techniques used for initial access to IT networks; personnel may open malicious attachments or links contained in emails from threat actors to execute malicious payloads that allow access to the network.
  • Adding legitimacy to the scam by using the names of actual officers or employees of a legitimate business to communicate with the victim company.
  • Copying company logos to lend authenticity to their fraudulent emails and documents.
  • Deceiving the victim company into extending credit by falsifying a credit application. The scammer provides the factual information of a legitimate company, so the credit check results in the application being approved. The victim company ships the product but never receives payment.

Two successful attacks discussed in the advisory resulted in the victims losing in excess of several hundred thousand dollars.

In April 2022, a U.S. food manufacturer and supplier received a request through its web portal inquiring about pricing for whole milk powder purportedly from another food company. The attackers spoofed a legitimate food company using a version of its email configuration and the name of the company’s actual president and the company’s real physical address. The ingredient supplier ran a credit check on the company, which came up acceptable as it is a real company and extended a line of credit, and the first of two shipments – valued at more than $100,000 – was picked up from the “supplier.”

Luckily, the victim company refused to release the second load until payment was received, and only then realized the email address used by the criminals was a slight variation on the actual company’s domain name. As a result, the victim contacted the legitimate company, which confirmed that attackers have previously used their identity in similar scams.

In a separate incident in February 2022, four fraudulent companies placed large orders for whole milk powder and non-fat dry milk from a food manufacturer. The orders, valued at almost $600,000, were picked up, and the victim company was unaware something was wrong until it did not receive payment. In all four instances, the threat actors used real employee names and slight variations of legitimate domain names.

The advisory noted that one BEC was foiled due to the fact that the target company used proper email security procedures.

In August 2022, a U.S. sugar supplier received a request through its web portal for an entire truckload of sugar to be purchased on credit. The request contained grammatical errors, which the victim noted, and purportedly came from a senior officer of a U.S. non-food company. The sugar supplier identified that the email address had an extra letter in the domain name and independently contacted the company to verify there was no employee by that name working there.


Trustwave SpiderLabs recommends a combination of technology and employee training that all companies should implement to ensure emails are legitimate.

  • Deploying an email security gateway - on-premises or in the cloud with multiple layers of technology, including anti-spam, anti-malware, and flexible policy-based content filtering capabilities
  • Locking down inbound email traffic content as much as possible. Carefully consider employing a strict inbound email policy
  • Quarantine or flag all executable files, including Java, scripts such as .js and .vbs, and all unusual file attachments
  • Create exceptions or alternative mechanisms for handling legitimate inbound sources of these files
  • Blocking or flagging macros in Microsoft documents
  • Blocking or flagging password-protected archive files and blocking odd or unusual archive types, such as .ace, .img, .iso
  • Keeping client software such as Microsoft 365 and Adobe Reader fully patched and promptly up to date. Many email attacks succeed because of unpatched client software
  • Ensuring potentially malicious or phishing links in emails can be checked, either with the email gateway or a web; gateway, or both

Deploying anti-spoofing technologies on your domains at the email gateway and deploying techniques to detect domain misspellings to detect phishing and BEC attacks. Also, ensure there are robust processes in place for approving financial payments via email

  • Educating users – inform the rank and file up to the C-suite on the nature of today’s email attacks
  • Conducting mock phishing exercises against your staff to show employees that phishing attacks are a real threat of which they need to be aware

Latest Trustwave Blogs

Mining Operations: Critical Cybersecurity Threats & Trends Revealed

Cybersecurity professionals often point out that threat actors do not differentiate when choosing a victim. To an attacker, a hospital is as useful a target as a law firm or even a mining operation....

Read More

Phishing: The Grade A Threat to the Education Sector

Phishing is the most common method for an attacker to gain an initial foothold in an educational organization, according to the just released Trustwave SpiderLabs report 2024 Education Threat...

Read More

Unlocking Cyber Resilience: UK’s NCSC Drafts Code of Practice to Elevate Cybersecurity Governance in UK Businesses

In late January, the UK’s National Cyber Security Centre (NCSC) issued the draft of its Code of Practice on Cybersecurity Governance. The document's goal is to raise the profile of cyber issues with...

Read More