On this page:
Attack Spotlight
December 17, 2024
Sublime Security Attack Spotlight: B2B freight-forwarding scams using fake companies and net payment terms.
Sublime’s Attack Spotlight series is designed to keep you informed of the email threat landscape by showing you real, in-the-wild attack samples, describing adversary tactics and techniques, and explaining how they’re detected. These attacks can be prevented with a free Sublime account.
Freight-forwarding scams are an emerging threat in the business world, targeting companies with sophisticated tactics to steal goods worth tens of thousands of dollars – or even entire shipping containers.
As traditional scams like cash transfers and gift card fraud become harder to execute due to stricter measures and better detection, scammers have turned to freight-forwarding fraud as a lucrative alternative. By exploiting the trust and systems of B2B logistics, these fraudsters have refined methods to appear legitimate, leaving suppliers and logistics providers to bear the financial losses.
For this scam to be successful, the scammer needs to 1) create a fake company that can pass as authentic, and 2) have an account with a freight-forwarding company. In addition, they need to understand the vernacular of B2B transactions. This scam can require multiple rounds of communication, and any written missteps can reveal the fraud.
Here’s how the scam works:
To pose as a legitimate buyer, scammers will register lookalike domains, build out a company website that appears in search results, and impersonate business personas (or steal names) to reach their target.
For the domain, they’ll either take an existing trusted domain and append a business signifier (llc, ltd, etc.) to the end (ex: acehardwarellc.com) or make up a name that sounds similar to existing businesses (ex: fairmarketretail.co).
Then they’ll use a template to spin up a site that features the language and pages found on similar, legitimate sites.
Scammers then set up accounts with freight-forwarding companies that instruct the forwarder to blindly reship any packages received for their "business" to a different, typically overseas, address.
This provides the scammer with a legitimate initial address that leads to an untraceable final destination. The freight forwarder, following instructions, doesn’t verify the legitimacy of the purchase or the reshipped destination.
The address of the freight-forwarder is then used by the scammer as their business address.
Now the scammer will open an account with a company that operates their billing in “net” payment terms to gap the time between payment and purchase. For example, a net 30 invoice cycle means a bill within 30 days after the purchase.
The scammer can then start making large purchases without having to pay up front. By using the right vernacular and mimicking common business purchases, the scammer can continue to make purchases without the target company becoming suspicious.
Goods are shipped to the freight-forwarder and they send the package on to the final destination per agreement. Since payment isn’t due immediately, there’s little suspicion at first.
By the time the payment due date arrives, the scammer has already sold or moved the goods and disappeared, leaving the supplier (and sometimes the freight-forwarder) on the hook for the bill.
At this point, the domain, site, and email infrastructure will be taken down.
With the fraud complete, the scammer can now spin up a new domain, site, and email system to try again. Often times, they will target the same company repeatedly.
Here is an example we’ve seen of this scam being attempted repeatedly against the same company. In this attack, the scammer poses as a buyer from a store that wants to open an account with the target company. In this intro message, they state a goal of buying $15,000 worth of goods to resell at their own online store.
When the Account Services team responds, the scammer provides everything needed to start a new account. Once the account is created, the scammer can expect a level of safety from standard spam filters.
At this point, the scammer is able to place orders within the estimated weekly range without raising suspicions. The scammer will repeat this as many times as they can before being caught by the company. Once caught, they will shut down the current version of the scam and start again with a new fake company and website.
Once a scammer has the correct infrastructure in place, they can quickly spin up a new company to repeat the fraud. This easily recyclable infrastructure, though, is a weak link in their detection evasion strategy.
Sublime's AI-powered detection engine prevents this type of attack. The top signals in this attack were:
Additionally, Sublime’s message grouping functionality lets analysts review similar attacks quickly as scammers pivot.
Sublime detects and prevents freight-forwarding fraud and other email-based threats. Start your free account today, in the cloud or self-hosted, for out-of-the-box coverage for these types of attacks with the ability to customize their handling for your environment.
Read more Attack Spotlights:
Sublime releases, detections, blogs, events, and more directly to your inbox.
The latest research, attack spotlights, and product updates.
Experience Sublime’s adaptable email security platform and take control of your email environment today.