Fraudsters impersonated the Department of Homeland Security, the Department of Commerce, the Department of Defense, the Department of Housing and Urban Development, the Department of Justice, the Department of Labor, the Department of Transportation, the Federal Deposit Insurance Corporation, the Securities and Exchange Commission, and the Railway Retirement Board to steal hundreds of thousands of dollars in equipment from suppliers to the US Government.
In an extreme example of phishing, the perpetrators pretended to be procurement officials from these organizations, using the names and “from” addresses of actual staff, with RFQs. Vendors ended up shipping IT gear to “abandoned commercial property”, including “laptops, cellphones, and hard drives.”
According to the Office of the Inspector-General:
“The RFQs use the name of a legitimate government procurement official but include a phone or fax number associated with the fraudsters. They also use email addresses that spoof U.S. government agencies, with domain names such as “rrb-gov.us.” Alternatively, the email’s From header displays a legitimate government email address, but the Reply-To header is a slightly different, nongovernment email address. In some cases, the fraudsters avoid email and insist on communicating by fax.”
On the face of it, it is difficult to believe that this kind of online fraud still succeeds. We’re inundated with this stuff at industrial scale.
Yet, sophisticated suppliers still got pulled into this con and their equipment ended up shipped to Nigeria for further resale.
It is even more difficult to believe in the case of government agencies who are much less likely to solicit RFQs and RFPs directly with vendors than they are to post these requests to government websites.
Corporations and other commercial buyers are much more liable to this kind of risk given that they solicit suppliers directly, often by email or fax.
Guess what? Suppliers will price in the risk that they are self-insuring. Is there a risk that this request is from organized crime? Is there a risk that, even if it is from a legitimate source, the supplier’s proprietary information is divulged to its competitors by a government employee? Is there a risk that the RFP has been “wired” for a competitor? Is there a risk that the supplier will spend thousands of dollars on composing a response that turns out to be a false-flag effort to get competitive information?
EdgeworthBox is a simple way to simplify the experience for suppliers, even as you lower the risk they need to manage. It’s a secure platform so that your suppliers (and suppliers on the platform whom you hope will become your suppliers) can see that you have posted the RFP or RFQ. Your suppliers can contact you using the platform’s messaging functionality, further verifying the legitimacy of the post. Our “network-based sourcing™” approach combines features from financial markets with a marketplace to make sourcing simpler, fairer, and faster. These include a central clearinghouse for administration, a central clearinghouse for data, and social networking tools. We believe that when buyers make it easy for sellers to give them what they want, everybody is happy. Let’s have a chat. We would love to share you with the lessons we have learned.