- A fraud ring based in Atlanta has been exploiting the federal government procurement process to trick technology vendors into sending shipments of laptops, cellphones and hard drives to abandoned commercial property, according to an alert released last month by the Department of Homeland Security (DHS) watchdog.
- The fraudsters faxed or emailed fake requests for quotations (RFQ) to vendors around the country, ordered and received the items and never send payment to the vendor. "Some of the purchase orders identified were for hundreds of thousands of dollars each," DHS said.
- The stolen merchandise was then sold on the black market either in the U.S. or Nigeria, the DHS Office of Inspector General (OIG) explained in its release.
The fraud scheme required the ring to impersonate federal employees. A DHS investigation found it was targeting multiple agencies, including DHS, the departments of Commerce, Defense, Housing and Urban Development, Justice, Labor and Transportation; the Federal Deposit Insurance Corporation; the Securities and Exchange Commission; and the Railway Retirement Board, the alert said.
The RFQs used the names of real federal employees and the email's From address was a real government address. But the Reply-To address was slightly modified and a direct line to the fraudsters with domain names similar to those used by federal agencies, like "rrb-gov.us," DHS said.
DHS outlined various prevention measures for vendors to avoid similar ploys. These include only responding to RFQs when the sender has a .gov address in the From and Reply-To headers, being wary of procurement professionals who won't communicate via email and prefer fax, and independently obtaining the phone number for the named procurement official and verifying the legitimacy of the RFQ.
Similar scams have also posed as private businesses looking to trick other companies with a phony request for proposal. The Better Business Bureau (BBB) sent out an alert this week about just such a hoax. In some versions of the trick the linked PDF will be infected with malware, according to BBB.
"Just because an email looks real, doesn't mean it is," BBB suggested. "Scammers can fake anything from a company logo to the 'Sent' email address."
This story was first published in our weekly newsletter, Supply Chain Dive: Procurement. Sign up here.