The General Services Administration (GSA) Office of Inspector General is aware of scams involving disguised or “spoofed” email addresses that target small businesses and large businesses, including federal contractors registered in SAM.gov.
Scammers falsely claiming to be employees of a federal government agency use such “spoofed” email addresses to solicit fraudulent Requests for Quotations (RFQs). The fraudsters generally seek RFQs for electronic equipment (cell phones, laptops, tablets, and other electronic devices). These “spoofed” emails appear to originate from government email domains, including “.gov” or “.mil”, but have non-government domain extensions such as “.net”, “.org”, or “.com.”
When a U.S.-based business responds to the RFQ, the fraudster replies using an email address that is similar to a legitimate government email address but has a non-government email domain extension. The fraudulent RFQs also appear nearly identical to legitimate RFQs used by federal government agencies, often using the names of real agency officials. However, the fraudulent RFQs have illegitimate contact information, including email addresses and phone numbers that send any correspondence back to the fraudsters and not to any legitimate government entity.
If a business entity responds to the RFQ, the fraudster will accept the quote, provide a fraudulent Purchase Order (PO) and the business is provided with an address to which they can ship the devices. The PO will usually include the “signature” of the federal official, likely copied and photoshopped from publicly available contract files. Payment is usually guaranteed within 30 calendar days of the goods having been received (“Net 30"). The shipping addresses vary, but are typically commercial addresses accessible by the public, such as short-term storage companies, warehouses or freight forwarders. When the U.S.-based business submits an invoice for payment to the affected government agency, the invoice is rejected, or no response is provided to the business because the government agency has no records of the fraudulent procurement. At this stage, the business realizes it has been defrauded.
Elements of the Fraud
- Sending fake quote requests and fake purchase orders. Scammers can gather public information and agency logos from legitimate sources, combine it to make a fake document, and then send it to federal contractors pretending to be procurement officials from federal agencies, state or local governments, hospitals, or universities.
- Using email addresses designed to trick you. Scammers create fake email addresses which are similar to the legitimate government, university, or hospital email addresses. They could also display a different email address in the “From” header than what they use for the “Reply-To” email address.
- Trying to order things the scammers can easily resell. These items include computers and related equipment, printer toner, projectors/cameras, medical and pharmaceutical equipment, and industrial equipment.
- Instructing victims to ship goods to addresses not connected to the organization they are impersonating.
- Sending email messages which are poorly written, with misspellings and awkward sentence structure.
- Creating a sense of urgency. Scammers may ask you to supply large quantities of product and rush you to ship priority or overnight.
Protect Yourself and Your Company
- Review any unsolicited requests for quote (RFQ) or purchase order (PO) carefully.
- Locate the phone number for the listed procurement official using an independent source. Call them to make sure the RFQ or PO is legitimate.
- Check the email address. Make sure the sender’s domain and the “Reply To” header is the correct domain affiliated with the government agency, college, or hospital. You can also hover over the email address in the “From” header without clicking on it to confirm whether it matches the valid domain.
- Search the Internet for the listed delivery address. See if your search returns an address actually affiliated with the agency, university, or hospital. Beware of those addresses that return an individual residence, self-storage facility, virtual office, or shipping and packing store.
- Be suspicious of any purported procurement officials who refuse to communicate by telephone.
- Research the company’s website and contact information and compare it to any unsolicited RFQs or POs received from purported government contractors. Look for anomalies. Also, research the original RFQ and award information between the company and the government and attempt to confirm the authenticity of the RFQ with the procurement official.
If you believe you have been either solicited or victimized by one of these procurement scams, report the incident immediately to the FBI’s Internet Crime Complaint Center at https://www.ic3.gov/default.aspx.
If the scam involved the impersonation of a government agency or official, also report it to that agency’s Office of Inspector General. Go to https://www.ignet.gov/content/inspectors-general-directory for a list of agency Offices of Inspector General and their hotlines.
If you have information about fraud, waste, abuse, mismanagement, or other crimes or violations of federal laws, rules, and regulations relating to GSA programs and operations, including contracts, please report it to the OIG Hotline. You can submit your complaint at https://www.gsaig.gov/hotline.