The FBI, with the Food and Drug Administration Office of Criminal Investigations (FDA OCI), and the US Department of Agriculture (USDA) announced a joint Cybersecurity Advisory to advise the Food & Agriculture sector about recently observed incidents of criminal actors using business email compromise to steal shipments of food products and ingredients valued at hundreds of thousands of dollars.
The hackers spoofed emails and domains to impersonate employees of legitimate companies to order food products. When the company fulfills the order and ships the goods, the criminals fail to pay for the products.
Then, the hackers sometimes repackage the stolen products for individual sale without regard for food safety regulations. And, these products, typically of lesser quality, can damage a company’s reputation.
There are very recent examples of hackers targeting the Food & Agriculture sector.
A US sugar supplier received a request through their web portal for a full truckload of sugar in August. The request contained grammatical errors and purportedly came from a senior officer of a US non-food company.
The sugar supplier identified the email address had an extra letter in the domain name and independently contacted the actual company to verify there was no employee by that name working there.
Also in August, a food distributor received an email purportedly from a multinational snack food and beverage company requesting two full truckloads of powdered milk. The criminal actor used the real name of the chief financial officer of the snack food company but used an email address containing an extra letter in the domain name.
The victim company had to pay their supplier more than $160,000 for the shipment after responding to the fraudulent request.
The US agencies provided a list of recommendations for what Food and Agriculture companies should look for and what to do if they feel a hacker is attempting to steal shipments of food.