FBI Warns of Email Scams Relating to PPE Procurement

The FBI has issued an industry alert to warn entities purchasing Personal Protective Equipment (PPE) of business email compromise (BEC) schemes.

As previously reported on Conduit Street, procurement divisions are under heightened levels of stress as they are tasked with delivering PPE including scarcely available masks, gloves, ventilators, and other needed equipment. The FBI recently issued a press release to warn government and healthcare employees of the various ways people are attempting to carryout scams. Fraudulent vendors are bombarding procurement divisions with email solicitations offering hard to get equipment.

From the press release:

BEC schemes often involve the spoofing of a legitimate known email address or use of a nearly identical email address to communicate with a victim to redirect legitimate payments to a bank account controlled by fraudsters. A variation on BEC schemes can involve similar social engineering techniques via phone call.

The FBI warns that several states have paid deposits for PPE materials and have not had their orders fulfilled. The FBI recommends thorough vetting for new vendors as well as the use of domestic escrow accounts to avoid directly transferring deposits prior to receipt of orders.

Risks and recommendations identified by the FBI:

Risk Factors

While pre-payment is more common in the current environment, it substantially increases the risk of a buyer being defrauded and eliminates most potential recourse. The following indicators are warning signs that an offer to sell items may not be legitimate:

A seller or broker initiates the contact with the buyer, especially from a difficult to verify channel such as telephone or personal email.

The seller or broker is not an entity with which the buyer has an existing business relationship, or the buyer’s existing business relationships are a matter of public record.

The seller or broker cannot clearly explain the origin of the items or how they are available given current demand.

The potential buyer cannot verify with the product manufacturer that the seller is a legitimate distributor or vendor of the product, or otherwise verify the supply chain is legitimate.

Unexplained urgency to transfer funds or a last minute change in previously-established wiring instructions.

Mitigation Recommendations

The FBI recommends that buyers consider the following recommendations to protect their companies or agencies:

If the seller claims to represent an entity with an existing relationship to the buyer, verify claims through a known contact—do not contact the vendor through information provided in an email or phone communication.

If possible, have a trusted independent party verify the items for sale are physically present and of the promised make, model, and quality, and take delivery immediately upon payment.

If immediate delivery is impossible, route payments to a domestic escrow account to be released to the seller upon receipt of the promised items.

Verify with the manufacturer or verified distributor that the seller is a legitimate distributor or vendor for the items being offered.

Be skeptical of last minute changes in wiring instructions or recipient account information—do not re-route payments without independently verifying the direction came from an authorized party.

Verify the email address used to send emails, especially when using a mobile or handheld device, by ensuring the sender’s email address appears to match who it is coming from.