Purchase order scams now targeting construction suppliers

Same scam as before, but with new targets

binary hard drive storage disk

Earlier this year, Salted Hash reported on a wave of purchase order scams targeting university suppliers. Recently, scammers have expanded their scheme by targeting industrial construction contractors and their suppliers.

Salted Hash was alerted to the most recent version of the purchase order (PO) scam by KGC Inc., an industrial and commercial construction company in Garden Grove, California.

Over the last month, scammers have used KGC's corporate information, which is posted publicly on the company's domain, to generate PO requests for various supplies.

Using email as the primary method of communication, or in some cases a phone, the scammers will attempt to get a quote for products from a given vendor. Once the quote is delivered, the scammers will either develop a PO, or forge an existing one, and have the vendor ship the products.

Most of the POs use Net-30 as the payment terms, meaning there's a 30-day window to pay for the product, leaving plenty of time for the scammers to get away with their crime. Otherwise, they'll use a credit card (stolen) to pay for the items directly.

As was the case with the PO scam targeting universities, scams targeting contractors and their suppliers are nothing new. One of the fake KGC POs went to Data Weighing Systems Inc., a vendor that specializes in weighing and force measuring equipment.

The scammers had requested ten items, totaling $25,310, and signed the PO under KGC's project manager's name. By all accounts, the PO and the request itself looked legitimate. The only thing that prevented such an expensive loss was an attention to detail.

The shipping address listed on the submitted PO didn't match KGC's address, so Data Weighing Systems called to follow-up. As it turns out, the address listed on the PO is a small, rundown house in South Carolina, nowhere near KGC's offices in California.

David Hussar, President of Data Weighing Systems, spoke to Salted Hash and confirmed the scam impacting KGC. In addition, he shared additional details, including the fact that vendors are on their own for the most part when it comes to dealing with these events.

PO scams are a huge problem for companies like Hussar's. As mentioned, most orders are done via email or phone, and the scammers use a stolen credit card to pay.

When that happens, the banks will protect the consumer (or company) that had their card used fraudulently, but the vendor that shipped the product is likely to take a hit – both financially and on product. Even if the vendor offers credit to the scammers, such as payment terms of Net-30, the loss is just as bad.

Therefore, it's up to the vendor to check orders and vet them.

Such order vetting is what saved Data Weighing Systems from losing $6,000 worth of product recently. Scammers managed to get an order though the first set of checks via email. When it came time to pay, the scammers emailed the credit card details and the order was placed.

However, it was an abnormally large order, and it was for products that are hardly ever purchased, let alone in such volume. So when the service manager investigated, they were able to catch the fraud and recover the products while in transit to Arizona.

When it comes to the scams targeting universities, the products that are ordered can be easily resold through a number of channels. The school orders often focus on equipment (laptops, monitors, drives), clothes, office products, etc. These items can be sold to anyone, almost anywhere.

As for supplies like scales and industrial testing equipment, their use and ability to move them is somewhat limited. Scales like those sold by Data Weighing Systems, have many legitimate uses in the construction world, as well a automotive, pharmaceutical, and food an beverage industries.

However, such equipment can also be used to support drug sales and manufacturing operations. So they're a target to criminals selling to or supporting such enterprises. Items like these can be resold through various online storefronts, or they can be shipped overseas where availability isn't as large, and a premium is placed on their quality.

The key to success for these scams however, is drop shipping.

Scammers behind these PO schemes will often use people who answered a work-at-home offer in the paper or online.

Once established, the scammers will ship these fraudulently obtained items to their homes - offering to pay them an acceptance fee, or reimburse them for charges incurred (plus a small commission) as they forward the packages on to another location.

Either way, the "employees" are left holding the bag and are often placed in the center of criminal investigations when things go sour.

As far as the vendors are concerned, the large ones will see these types of fraud as the cost of doing business and move on.

The others are forced into a position of being hyperaware, because that's the only protection they've got. However, some scams are easy to spot, especially when the scammers ask if the company will "ship with America States?"

For the record, that quote appeared in two of the emails KGC sent to Salted Hash as examples of recent scams. This suggests that the same person is likely responsible for both of them. However, as far as emailed orders or quote requests are concerned, grammatical errors such as this could act as a clear warning sign that something is off.

When it comes to the scammers themselves, it's a numbers game. Eventually, after enough failed attempts, someone somewhere will send them free product and they'll turn it around for a quick profit.

To comment on this article and other CSO content, visit our Facebook page or our Twitter stream.
Insider: Hacking the elections: myths and realities
Notice to our Readers
We're now using social media to take your comments and feedback. Learn more about this here.