Sublime Security Attack Spotlight: B2B freight-forwarding scams using fake companies and net payment terms.

Sublime’s Attack Spotlight series is designed to keep you informed of the email threat landscape by showing you real, in-the-wild attack samples, describing adversary tactics and techniques, and explaining how they’re detected. These attacks can be prevented with a free Sublime account.

Freight-forwarding scams are an emerging threat in the business world, targeting companies with sophisticated tactics to steal goods worth tens of thousands of dollars – or even entire shipping containers.

As traditional scams like cash transfers and gift card fraud become harder to execute due to stricter measures and better detection, scammers have turned to freight-forwarding fraud as a lucrative alternative. By exploiting the trust and systems of B2B logistics, these fraudsters have refined methods to appear legitimate, leaving suppliers and logistics providers to bear the financial losses.

Anatomy of freight-forwarding fraud

For this scam to be successful, the scammer needs to 1) create a fake company that can pass as authentic, and 2) have an account with a freight-forwarding company. In addition, they need to understand the vernacular of B2B transactions. This scam can require multiple rounds of communication, and any written missteps can reveal the fraud.

Here’s how the scam works:

1. Set up a fake company

To pose as a legitimate buyer, scammers will register lookalike domains, build out a company website that appears in search results, and impersonate business personas (or steal names) to reach their target.

For the domain, they’ll either take an existing trusted domain and append a business signifier (llc, ltd, etc.) to the end (ex: acehardwarellc.com) or make up a name that sounds similar to existing businesses (ex: fairmarketretail.co).

Then they’ll use a template to spin up a site that features the language and pages found on similar, legitimate sites.

2. Open accounts with freight-forwarding companies

Scammers then set up accounts with freight-forwarding companies that instruct the forwarder to blindly reship any packages received for their "business" to a different, typically overseas, address.

This provides the scammer with a legitimate initial address that leads to an untraceable final destination. The freight forwarder, following instructions, doesn’t verify the legitimacy of the purchase or the reshipped destination.

The address of the freight-forwarder is then used by the scammer as their business address.

3. Place orders in “net” payment terms

Now the scammer will open an account with a company that operates their billing in “net” payment terms to gap the time between payment and purchase. For example, a net 30 invoice cycle means a bill within 30 days after the purchase.

The scammer can then start making large purchases without having to pay up front. By using the right vernacular and mimicking common business purchases, the scammer can continue to make purchases without the target company becoming suspicious.

4. Run the scam until the bill arrives

Goods are shipped to the freight-forwarder and they send the package on to the final destination per agreement. Since payment isn’t due immediately, there’s little suspicion at first.

By the time the payment due date arrives, the scammer has already sold or moved the goods and disappeared, leaving the supplier (and sometimes the freight-forwarder) on the hook for the bill.

At this point, the domain, site, and email infrastructure will be taken down.

5. Scam over, start again

With the fraud complete, the scammer can now spin up a new domain, site, and email system to try again. Often times, they will target the same company repeatedly.

Freight-forwarding fraud in the wild

Here is an example we’ve seen of this scam being attempted repeatedly against the same company. In this attack, the scammer poses as a buyer from a store that wants to open an account with the target company. In this intro message, they state a goal of buying $15,000 worth of goods to resell at their own online store.

Introductory email to open an account (URL redacted)
Fake company website

When the Account Services team responds, the scammer provides everything needed to start a new account. Once the account is created, the scammer can expect a level of safety from standard spam filters.

Information required to open an account (address redacted)

At this point, the scammer is able to place orders within the estimated weekly range without raising suspicions. The scammer will repeat this as many times as they can before being caught by the company. Once caught, they will shut down the current version of the scam and start again with a new fake company and website.

The scammer starts again with a new fake company (note the fake name).

Once a scammer has the correct infrastructure in place, they can quickly spin up a new company to repeat the fraud. This easily recyclable infrastructure, though, is a weak link in their detection evasion strategy.

Detection signals

Sublime's AI-powered detection engine prevents this type of attack. The top signals in this attack were:

  • Fraud language: The email body contains wording that mentions an automated system or authoritative figure, a common tactic used in credential phishing attacks or other scams.
  • Authoritative display name: The sender's display name resembles that of an automated system or authoritative figure, a common tactic used in credential phishing attacks or other scams.
  • Unusual sender domain: The sender's domain doesn't match any link domains found in the body of the message.
  • Suspicious sender behavior: The recipient has never communicated with the sender.

Additionally, Sublime’s message grouping functionality lets analysts review similar attacks quickly as scammers pivot.

Prevent freight-forwarding fraud with Sublime

Sublime detects and prevents freight-forwarding fraud and other email-based threats. Start your free account today, in the cloud or self-hosted, for out-of-the-box coverage for these types of attacks with the ability to customize their handling for your environment.

Read more Attack Spotlights:

About the Author

About the Authors

Author headshot

Sam Scholten

Detection

Sam is the Head of Detection at Sublime. Prior to Sublime, he was a Staff Email Security Researcher at Proofpoint where he developed a business email compromise (BEC) taxonomy and formulated key detection methodologies and rules.

Get the latest

Sublime releases, detections, blogs, events, and more directly to your inbox.

Thank you! Your submission has been received!
Oops! Something went wrong while submitting the form.