When is a Purchase Order NOT a Purchase Order

Incidents of fraudulent orders being placed for goods and services.

We break from the standard hydraulic industry news to help shed some light a serious issue. Most companies are aware of credit card fraud and what to look out for when receiving orders from person(s) using stolen cards. But what happens when you receive a fraudulent purchase order from a customer you’ve been doing business with for years? Most of us don’t realize that there is a problem until it is too late.

AFS

This incident nearly happened to us a few weeks ago. Our Customer Service Department received a purchase order for products from a long-standing customer with several locations nationally (XZY Company). At first glance everything seemed to be in order. The documents presented to us were:

  • A purchase order with company logo,  “bill to” address, formatting and item numbers were correct.
  • Email signature including contact name (John Doe), address and company were correct, as well as a phone number with the correct area code.
  • A list of credit references on XZY Company’s letter head.

The first item that stood out to us was that the sender’s email domain name was slightly different than our customer’s website domain. This is not uncommon for large companies or whose domain name is inconveniently long. We searched the sender’s email domain name and found that our customer was not affiliated. Second, was the order itself. The products ordered were not unusual, but after subsequent communications the order quickly escalated to large quantities per piece. Ordering in bulk often signals that there is an intent to resell the products. We promptly called the number listed in the email and spoke to a person who insisted he was John Doe, but sounded surprised about the phone call.

Using our internal records, we then called XYZ Company and asked to speak to John Doe. The “real” John Doe did in fact work for XYZ Company and when contacted stated that he’d been fielding several inquiries for purchase orders made in his and the company’s name. He also cited a few instances where fraudulent activity had happened in the past. The purchase order we received was fraudulent. With a little research the perpetrator brazenly recreated XYZ Company’s email signature line, and created a purchase order and credit references using XYZ Company’s  logo and letter head.

After stalling the fraudulent John Doe, we contacted XYZ Company’s  security department.  A department they had setup to deal with fraudulent activity just like this. They instructed us to terminate all communications with the individual and that they would report the incident to the proper authorities.  We declined the order from the fraud and the matter was closed on our end.

Here’s what the FBI has to say about how it works and how to avoid being a victim.

The scam has several variations, but basically it works like this:

  • The criminals set up fake websites with domain names almost identical to those of real businesses or universities. They do the same for e-mail accounts and also use telephone spoofing techniques to make calls appear to be from the right area codes.
  • Next, the fraudsters—posing as school or business officials—contact a retailer’s customer service center and use social engineering tactics to gather information about the organization’s purchasing account.
  • The criminals then contact the target business and request a quote for products. They use forged documents, complete with letterhead and sometimes even the name of the organization’s actual product manager. They request that the shipments be made on a 30-day credit—and since the real institution often has good credit, vendors usually agree.
  • The criminals provide a U.S. shipping address that might be a warehouse, self-storage facility, or the residence of a victim of an online romance or work-from-home scam. Those at-home victims are directed to re-ship the merchandise to Nigeria and are provided with shipping labels to make the job easy.
  • The vendor eventually bills the real institution and discovers the fraud. By then, the items have been re-shipped overseas, and the retailer must absorb the financial loss.

Businesses can avoid becoming victims of purchase order fraud by being aware of several fraud indicators:

  • Incorrect domain names on websites, e-mails, and purchase orders. The scammers use nearly identical domain names of legitimate organizations, but in the case of a university, for example, if the URL does not end in .edu, it is likely fraudulent.
  • The shipping address on a purchase order is not the same as the business location. Likewise, if the delivery address is a residence or self-storage facility, it should raise red flags.
  • Poorly written e-mail correspondence that contains grammatical errors, suggesting that the message was not written by a fluent English speaker.
  • Phone numbers not associated with the company or university, and numbers that are not answered by a live person.
  • Orders for unusually large quantities of merchandise, with a request to ship priority or overnight.

If you are the victim of purchase order fraud, it’s important to contact local law enforcement and the FBI. You should also report the crime to the Internet Complaint Center (IC3). If the fraud is discovered before the goods are shipped to Nigeria, there is a good chance the merchandise can be recovered. More than $1 million worth of merchandise has been recovered, thanks to businesses quickly discovering the fraud.

https://www.fbi.gov/news/stories/purchase-order-scam-leaves-a-trail-of-victims

https://www.ic3.gov/default.aspx


« Return to Blog