A local business is reeling after falling victim to a sophisticated email scam that cost the company more than $250,000.
The scam involved multiple fraudulent purchase orders that appeared to come from a legitimate, well-known company — complete with official-looking logos, professional formatting, and accurate contact information, the company told TLS exclusively.
According to the company, the first order came several weeks ago and looked perfectly legitimate.
The scam continued over the course of several transactions. But eventually, something didn’t sit right.
After doing a quick search online, the business landed on the actual company’s website, where a warning banner was prominently displayed warning customers to verify all new orders by phone before fulfilling them, as there was an ongoing scam where they were being impersonated.
By then, it was too late.
The business had already fulfilled several large orders, shipping out tens of thousands of dollars in merchandise, which was picked up by the scammer via trucks. The total loss is estimated to exceed $250,000.
Local law enforcement has opened an investigation, and the FBI is now involved, due to the scale and complexity of the fraud.
Authorities are urging all businesses, especially vendors that rely heavily on purchase orders and online communication, to verify all orders — especially new or unusually large ones — via independent confirmation methods such as a phone call to a known number, rather than simply replying to the email.
The company, while shaken by the loss, hopes their story will serve as a cautionary tale for others.
“We never imagined something like this could happen to us,” the representative said. “We want other businesses to be aware — trust your gut, double-check everything, and never assume an email is safe just because it looks official.”
Maybe they should share the name of the company the scammers used so others can be cautious.
I got an email today from Postmark containing a big button to confirm they can use my business address to send out emails!!
Was there an actual form of payment? Usually a business will not fulfill an order until the payment is recognized.
Many/most wholesale businesses provide lines of credit and don’t require payment at the time of large orders. The “heimish” way of doing business often relies on “handshake” approaches to deals and doesn’t necessarily include protocols, one example, verifying with the bank before providing credit. Even though it’s not in the culture for very positive reasons, I’m an advocate of frum businesses becoming more interested in the value of official processes. Maybe this story is one more reason.
They probably had net 30 day terms or longer, which is common among suppliers.
Thank you so much for sharing with us this valuable information.
השם ימלא חסרונך
Fire your information security team. This is a very basic technique and a well known scam that is easy to prevent. Too bad cyber insurance will not cover this. Get this very basic protection info from numerous sources. Someone is lax.
I am curious why cyber insurance will not cover this. A large, sophisticated company I know had a similar story (although in their case someone hacked the phone lines and email servers of the customer and confirmed the fraudulent orders) and cyber insurance did cover it. I’m not insurance expert though and you seem pretty confident so I would love to understand this.
IT insurance approves you for IT hacks. If it’s your lack of security or vulnerable business practices such as this; it’s no dice. Read the policy and especially the fine print. Have your lawyer review the policy. I had a case where the client was practically jumping for joy that they would receive a million dollars. We found so many problems with their “normal” business practices including lack of mandatory compliance for their line of business that the insurance company canceled them immediately. The company had to rectify everything themselves at a cost of multiple 5 figure amounts.
This is due to the vulnerable business practices and not hacking.
I bet you would for this scam too. Impersonators make orders from legitime companies. They claim to be from the purchasing department and will provide real financial information. They request a 30 day, and will offer to pickup the goods with their own logistics company.
What is wrong with this world!! It has to do somehow with a total lack of faith and belief in one higher than us.
I have an online business using Shopify and I receive scam emails seemingly from Shopify that look very real. I email them every time to check – Crazy world
Happens daily. Usually Email addresses have something off. LOOK VERY CAREFULLY as I know people that fell for it and got saved by the last second.