October 27, 2014

Cyber Crime

Purchase Order Scam Leaves a Trail of Victims

Fake Purchase Order scam e-mail

Nigerian criminals behind purchase order frauds use fake or stolen e-mail addresses to deceive retailers. They also dupe individuals who are the victims of online romance or work from home scams to re-ship merchandise out of the country, as seen above.

What began as a scheme to defraud office supply stores has evolved into more ambitious crimes that have cost retailers around the country millions of dollars—and the Nigerian cyber criminals behind the fraud have also turned at-home Internet users into unsuspecting accomplices.

FBI investigators are calling it purchase order fraud, and the perpetrators are extremely skillful. Through online and telephone social engineering techniques, the fraudsters trick retailers into believing they are from legitimate businesses and academic institutions and want to order merchandise. The retailers believe they are filling requests for established customers, but the goods end up being shipped elsewhere—often to the unsuspecting at-home Internet users, who are then duped into re-shipping the merchandise to Nigeria.

“They order large quantities of items such as laptops and hard drives,” said Special Agent Joanne Altenburg, who has been investigating the cyber criminals since 2012 out of our Washington Field Office. “They have also ordered expensive and very specialized equipment, such as centrifuges and other medical and pharmaceutical items.”

Our investigators have found more than 85 companies and universities nationwide whose identities were used to perpetrate the scheme. Approximately 400 actual or attempted incidents have targeted some 250 vendors, and nearly $5 million has been lost so far.

The scam has several variations, but basically it works like this:

  • The criminals set up fake websites with domain names almost identical to those of real businesses or universities. They do the same for e-mail accounts and also use telephone spoofing techniques to make calls appear to be from the right area codes.
  • Next, the fraudsters—posing as school or business officials—contact a retailer’s customer service center and use social engineering tactics to gather information about the organization’s purchasing account.
  • The criminals then contact the target business and request a quote for products. They use forged documents, complete with letterhead and sometimes even the name of the organization’s actual product manager. They request that the shipments be made on a 30-day credit—and since the real institution often has good credit, vendors usually agree.
  • The criminals provide a U.S. shipping address that might be a warehouse, self-storage facility, or the residence of a victim of an online romance or work-from-home scam (see sidebar). Those at-home victims are directed to re-ship the merchandise to Nigeria and are provided with shipping labels to make the job easy.
  • The vendor eventually bills the real institution and discovers the fraud. By then, the items have been re-shipped overseas, and the retailer must absorb the financial loss.

“Once the merchandise has been shipped to Nigeria, it is nearly impossible to get it back,” Altenburg said. “Small and mid-size businesses and universities are being targeted all over the country.”

Although the cyber criminals are practiced at deception, there are ways to spot the fraud, according to Special Agent Paula Ebersole in our Washington Field Office. “The most important thing is to independently verify shipping addresses,” she said, “no matter how legitimate a website or e-mail looks.”

Businesses should also be on the lookout for e-mails that contain unusual phrases or spellings, indicating that messages were not written by a fluent English speaker. And bogus phone numbers provided by the fraudsters are rarely answered by a live person. “That should raise a red flag,” Ebersole said.

“If your business has been scammed,” she added, “time is of the essence. If you report the theft to local authorities or the FBI before the merchandise is shipped out of the country, there is a chance the items can be located and returned.”

In addition to investigating these crimes, Ebersole and Altenburg are also getting the word out to the business community about purchase order fraud through the Domestic Security Alliance Council, a security and intelligence-sharing initiative between the FBI, the Department of Homeland Security, and the private sector. “We want to make everyone aware of this potential threat,” Ebersole said.

At-Home Victims

E-mail and Internet ads offering lucrative work-from-home jobs are everywhere online, and so are match-making websites. But many online offers of employment and romance are scams—and those who fall for them might end up helping African cyber criminals carry out purchase order fraud.

“These criminals are experts at posing as an employer or romantic interest online,” said Special Agent Joanne Altenburg. “They gain the trust of individuals looking for work or a romantic relationship, and after a period of social engineering, those individuals are convinced to serve as re-shippers on behalf of the subject. They almost never suspect they are doing anything illegal.”

These secondary victims agree to accept packages sent directly to them and then re-ship them overseas, thinking it is either part of their job or they are doing a favor for their romantic interest. “A lot of these people don’t believe it when I tell them they are being scammed,” Altenburg said. “The criminals are very good at what they do.”

Indicators of Fraud

Businesses can avoid becoming victims of purchase order fraud by being aware of several fraud indicators:

  • Incorrect domain names on websites, e-mails, and purchase orders. The scammers use nearly identical domain names of legitimate organizations, but in the case of a university, for example, if the URL does not end in .edu, it is likely fraudulent.
  • The shipping address on a purchase order is not the same as the business location. Likewise, if the delivery address is a residence or self-storage facility, it should raise red flags.
  • Poorly written e-mail correspondence that contains grammatical errors, suggesting that the message was not written by a fluent English speaker.
  • Phone numbers not associated with the company or university, and numbers that are not answered by a live person.
  • Orders for unusually large quantities of merchandise, with a request to ship priority or overnight.

If you are the victim of purchase order fraud, it’s important to contact local law enforcement and the FBI. You should also report the crime to the Internet Complaint Center (IC3). If the fraud is discovered before the goods are shipped to Nigeria, there is a good chance the merchandise can be recovered. More than $1 million worth of merchandise has been recovered, thanks to businesses quickly discovering the fraud. More on IC3.