Purchase order scam targeting university suppliers

Several universities have issued warnings to their suppliers about an ongoing purchasing scam that originates via email.

Salted Hash has obtained a copy of a warning letter from Boston College addressed to all of their suppliers. In it, the university says that emails claiming to be from the school are requesting product quotes for merchandise and paying for them with fake purchase orders (POs). After the scam is complete, the supplier is left without both product and payment, while the criminals go on about their business.

Digging deeper, the Hash started looking for other schools that may have been leveraged in similar scams. Going back as far as May 2013, Ohio State University, Penn State University, UC Davis, Texas A&M, UNLV, and Wellesley College, have all issued warnings to their suppliers after scammers attempted to forge PO requests.

In each case, the scam is the same. A poorly written email message, "with misspellings and awkward sentence structure" is sent to the supplier. With the initial contact, the scammers start requesting quotes on volume purchases for "highly resalable items such as cameras, projectors and other audio/video equipment."

The emails will often request that items be delivered to address that are not associated with the school in question, as well as originate from email accounts that are unrelated to the university. These red flags should be enough to discourage the supplier from moving forward. However, that doesn't seem to be the case, because if no one was fooled, such warnings wouldn't be needed.

Once the criminals have their quote, they'll request the items and start the process of paying with a PO. According to the universities, the false PO documentation may use logos or other images in an attempt to look legitimate. Once the crooks have their merchandise, they resell it for a quick turnaround.

Moreover, if the supplier was to demand a credit application or a tax exempt statement,  the scammers will not provide one, Texas A&M's warning said, "and will reply with a statement similar to 'as an educational entity all you need is a purchase order'."

Each of the universities that issued a warning encouraged suppliers to call the school directly with any questions, or if a request seems suspicious. Based on the information available online, the scam started last summer and is ongoing.

The Hash as reached out to some of the schools for additional details. This post will be updated with new information as it becomes available.

Additional details:

Wellesley College


Texas A&M

UC Davis

Penn State University

Ohio State University

Copyright © 2014 IDG Communications, Inc.

7 hot cybersecurity trends (and 2 going cold)