Purchase Order Fraud – Impersonation scam

Every week we receive orders and quote requests from companies, universities and hospitals all over North America, requesting expensive IT equipment. Great, right? Not really, because these are fraud artists that are trying to lure companies into sending valuable goods to them, and having the bill sent to the institution that they are impersonating.

They will have all the correct logos, all the correct addresses, and the real name of a senior employee at the institution – all information that can be found online or in an annual report. But the email domain will be a lookalike; ucalgary-ca.com instead of University of Calgary’s real domain of ucalgary.ca. Or they will make a misspelling or add something to the domain , jlsmithindustries.com or jlsmiths.com or jlsmith.net instead of jlsmith.com

The criminals will want 30 day terms to pay (as normal for a large company). This gives them plenty of time to disappear before the real company sends back your invoice and tells you they never ordered anything. The variation would be if they offer to pay by credit card, and provide a stolen card number. Credit card chargebacks typically take 2 – 4 months to be reported, and the money will directly withdrawn from your bank.

If the vendor is unwary enough to go through with the quote, they will receive an official-looking purchase order, complete with company logos and signatures. If they accept the order, when it comes time to deliver the goods, invariably there will be a “new office” or “warehouse” or “client site” to ship to, rather than the main company address. That will turn out to be an anonymous mail drop. Or alternatively, the scammer will arrange their own shipping on their account to the real address, and simply redirect the parcel with an address change as soon as it is shipped.

Note: Never let an unfamiliar customer use their own shipping account, and call your own courier companies to set all outgoing parcels to “No redirect” or “No Non-Direct Delivery” for your account – otherwise the courier company will let the recipient redirect the parcel to an alternate address as long as they have the tracking number (or they can allow a neighbor to sign for the package)

Here’s the most recent example

  • The first clue is that you are receiving an order or a RFQ from a company that has never contacted you before or that is out of your territory. In the example, the fact that we are in Canada and they are in Texas makes it improbable that it is legit.
  • Second can be that they ask for strange combinations of products – network switches and printer paper, for example, or they are asking for products that you don’t normally carry or advertise, although the criminals are getting better at paying attention to this.
  • Third, they mention payment terms up front, and/or they want extra fast delivery, and/or they do not seem concerned about price.
  • Fourth of course would be grammatical and spelling errors or stilted language in the email, but that is not reliable, as criminals can hire writers and editors too.
  • In the example above, one tell is the use of a AOL email address. That is sloppy on the part of the criminal, they didn’t bother to set up email boxes at the phony domain bshwc.com they registered 39 days ago. No reputable company does business email from a free email service (gmail, hotmail, outlook, aol, yahoo, ymail, etc,).
  • The email may be excessively concerned about proving who they are. Hint: Chief Procurement Officers or any executive suite or senior staff do NOT handle routine requests for quotes.

Crucially, you must check that domain name in the From: and in the Reply To: areas of the email headers with Whois to see who it is really registered to, and when it was registered.

Look up the actual company or institution with a Google search online to see what their real domain is. Contact the purchasing department from the information on the real website to confirm if you have any lingering doubt that it may be real.

If you are like me, you will take the extra time to email the actual company and alert their security and accounting departments to the fraud attempt. They can also take action through the domain name registrar and the domain and mail hosting companies, to take the domain down for criminal activity and for trademark infringement. In the example above I got the domain registrar ENom.com to take down the bshwc.com domain within one day. Not all of them are this responsive.

University of London has been hit with this so often that they have a page dedicated to the problem. It’s worth a read.

This entry was posted in Media and Commentary, News, Security and tagged , , , , , , , . Bookmark the permalink.

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.