Georgia Tech Procurement Assistance Center

  • Home
  • About Us
  • Training
    • Class Registration
    • On-demand Training
  • Useful Links
  • Team Directory
    • Albany Counselor
    • Atlanta Counselors
    • Augusta Counselor
    • Carrollton Counselor
    • Columbus Counselor
    • Gainesville Counselor
    • Savannah Counselor
    • Warner Robins Counselor
  • Directions
    • Atlanta – Training Facility
    • Atlanta – Office
    • Albany
    • Augusta
    • Carrollton
    • Columbus
    • Gainesville
    • Savannah
    • Warner Robins
  • New Client Application
  • Contact Us

Bad bid: Malicious actors target government contractors

September 12, 2019 By Nancy Cleveland

IT personnel working the trenches in the fight against malicious emails know that financial transactions — and the various documents that support and accompany those transactions — provide malicious actors seemingly endless fodder for clever phishing attacks designed to separate legitimate organizations from their money and reputations, as well as their customers, clients, and partners.

Indeed, fake invoices, RFQs, POs, ACH documents, and remittance forms collectively constitute the “social engineering” backbone of innumerable phishing campaigns.  And hapless employees keep falling for them, clicking through malicious links and opening malware-laden attachments — often with nary a thought to the potential consequences — bringing malicious actors and their sophisticated malware inside their employers’ networks.

Over the past few months we have observed the increasing use of yet another type of transaction-based social engineering scheme designed to hook companies dependent on government contracts: the invitation to bid.  In what follows, we’ll take a look at a number of actual phishing emails reported to us by customers using the Phish Alert Button (PAB).

Continue reading at:  SC Magazine

Filed Under: Contracting Tips Tagged With: cyber crime, cybersecurity, fake purchase orders, fake RFQs, phishing

FinCEN reports spike in email scams

July 30, 2019 By Nancy Cleveland

The Financial Crimes Enforcement Network (“FinCEN”) issued an advisory and trend analysis alerting financial institutions to a recent surge in business email compromise (“BEC”) incidents, as reported in suspicious activity reports.  According to FinCEN, these reported attacks climbed from 500 per month in 2016 to over 1,100 per month in 2018, with attempted BEC thefts increasing from $110 million per month in 2016 to $301 million monthly in 2018.

According to the advisory and analysis, a BEC scam typically involves a cyber criminal emailing false invoices or payment instructions to an individual or business while impersonating a supervisor, vendor or other legitimate third party.  Once payment is made, the proceeds are fraudulently directed to a criminal-controlled account.  Sometimes the emails originate from hacked accounts, while at other times, they are made to appear as communications from trusted sources.  Victims can include businesses, government agencies, universities and non-profits, often those that make frequent wire transfers.  Most BEC incidents reportedly involve transfers to domestic accounts in the United States, likely controlled by “money mules.”

Continue reading at:  Mondaq.com

Filed Under: Contracting News Tagged With: fraud, phishing

OIG: Beware of fraud ring scamming equipment by posing as federal buyers

July 25, 2019 By Nancy Cleveland

A transnational fraud ring is specifically targeting America’s federal procurement offices and vendors, according to an alert the Homeland Security Department’s Office of Inspector General issued this week.

Last July, the OIG discovered that members of a ring based in Atlanta, Georgia had posed as a Homeland Security procurement official to get their hands on computer equipment supplied by private vendors.  Diving deeper into the case, the IG found that the fraudsters were also stealing electronic equipment from other agencies including but not limited to the Commerce, Defense, Labor, Justice and Transportation departments.

“Some of the purchase orders identified were for hundreds of thousands of dollars each,” the OIG said.

In their scheme, the phony actors find federal government solicitations for equipment such as hard drives or smartphones, and send fraudulent requests for quotations to federal vendors from across the nation.  Though the RFQs use the legitimate names of procurement officials, the schemers use their own phone and fax numbers and they are also known to spoof government agency email addresses, using domain names such as “rrb-gov.us.”

Continue reading at:  Nextgov

Filed Under: Contracting Tips Tagged With: fraud, Homeland Security, OIG, phishing, spearphishing

Email scam netted $3 million worth of top-secret US military equipment

July 17, 2019 By Nancy Cleveland

Recently released Court documents show that con artists convinced a U.S. Defense Contractor to send them millions of dollars worth of sensitive military equipment.  The equipment was so top-secret that “even a photograph [is] considered controlled.”

The “highly sensitive communications interception equipment” was valued at $3.2 million.  The manufacturer is identified in legal documents only as “Company B,” and is located in Maryland.  The scammers acquired the military equipment by posing as a Navy Contracting Officer named “Daniel Drunz” and sent fake purchase orders to acquire the top-secret technology.

Continue reading the:  Court Documents

Filed Under: Contracting News Tagged With: phishing, scam

Suspicious contract activity proliferates — watch out!

September 18, 2018 By Nancy Cleveland

The Georgia Tech Procurement Assistance Center (GTPAC) continues to become aware of apparent contracting scams designed to trick unsuspecting vendors to deliver products for which they will receive no payment.

(You can view a compendium of articles about previously-identified scams at: https://gtpac.org/?s=scam.)

The latest example that’s come to our attention involves an email sent to vendors asking for a quote on some computer equipment.  The email is supposedly from a contracting representative with the Securities and Exchange Commission.

Vendors are asked to quote on name-brand portable hard drives and two brands of laptop computers.  The solicitation document appears to be a version of the federal Standard Form 1449.  But there are several suspicious elements associated with the solicitation:

  • While the email purportedly is from the SEC’s headquarters, the document indicates that the SEC office is in Germany.
  • Place of delivery is not listed.
  • The solicitation is pre-signed by the contracting officer.
  • The solicitation number is not consistent with standard numbering.
  • The phone number provided could be a cell phone number.

We have seen suspicious documents like this before.  What can result is that a vendor will respond with pricing.  Then, the scam artist will respond by saying that the quote has been accepted and directing that the products be shipped to a particular address.  After that, all communication ceases.  The vendor is cheated out of products (plus the cost of shipping), and receives no payment.

Be alert to scams like this.  If you receive something that looks suspicious, call it to our attention.  We’ll help you figure out what to do.

Filed Under: GTPAC News Tagged With: abuse, alert, corruption, fraud, phishing, scam, spoofing

In doubt? Check with GTPAC!

July 26, 2018 By Nancy Cleveland

Your team at the Georgia Tech Procurement Assistance Center (GTPAC) stands ready to offer you advice about any aspect of government contracting — especially when you have any doubt about the legitimacy of a contract-related service or solicitation.

We’ve published many articles before about government contracting scams (click here to see previous articles), and once again we want to bring another one to your attention.

Just a few days ago, a GTPAC client contacted one of our Counselors and asked about the legitimacy of a request for a quotation he received, supposedly from the Dept. of Defense (DoD).  Once we examined the email and the attachment that our client sent us, we told him to run — not walk — away from it!

Here Are the Details

The email was purportedly from a DoD official soliciting a quote for some laptops and computer drives.

We examined the email and its attachment, including the following:

  • We called the phone number in the email which was answered by a person who didn’t identify himself.  When we asked questions, he said that he’d have the person identified in the email call us back with details.  No one called back.
  • We checked the identity of the person who supposedly sent the email.  The email’s Quote form identified him as Deputy Director for Procurement at AT&L.   We determined that, in reality, he is DoD’s Deputy Director for Earned Value Management.  AT&L (Acquisition, Technology and Logistics) is a unit within DoD that no longer exists; it’s been reorganized into two groups: research and engineering (R&E) and acquisition and sustainment (A&S).  (See details of that reorganization by clicking here.)
  • We also identified the DoD official’s real email address and his actual phone number; they were not the email address or phone number shown in the email and on the Quote form that was sent to our client.
  • We noted that the federal solicitation number shown on the Quote form was not in the correct format, and the Quote form itself was not a form we have ever seen before.
  • The wording of the email was sloppy and unprofessionally prepared.

Based on the above, we advised our client to not respond because we believe this is a probable scam which will lead to an order to ship the products to a bogus shipping address, for which payment will never be received.  We also alerted the appropriate DoD officials of this probable scam.

What You Should Do

It’s as simple as 1-2-3.

  1. Stay alert to possible scams involving government contracting.  There are many scams in circulation literally every day.
  2. Don’t let the temptation of landing a sale overtake your common sense.  If it looks like easy money, it’s probably bogus.
  3. Whenever you are in doubt, contact GTPAC for advice.  We’ll be happy to check things out for you and provide you with our opinion.  It’s as simple as forwarding anything suspicious to us at: gtpacatl@innovate.gatech.edu.

Remember, the GTPAC team is here to help you succeed in the government marketplace!

P.S.:  If your business is located outside the state of Georgia, you can find a procurement technical assistance center (PTAC) by clicking here.

 

Filed Under: Contracting Tips Tagged With: abuse, cyberattack, cybersecurity, DLA, fraud, grant, grants, Grants.gov, network services, phishing, scam, small business, spoofing

Scam Alert: Malicious e-mail spoofs being sent to vendors

June 11, 2018 By Nancy Cleveland

The Defense Logistics Agency (DLA) is reporting that a fake solicitation is being sent to vendors in the form of a Request for Quotation (RFQ).

The fake email solicitation, purporting to be from DLA, has been targeting GSA STARS II vendors.

The emails are not from DLA.mil.  Instead, they are coming from a “Reply-To” address ending in @dla-mil.us, which is not a government address.

In some cases, “stars2@american consultants.com” has been identified to supposedly send messages on behalf of a DLA Contract Specialist — these are also fake.

Some of the bogus emails suggest that vendors use the “stars2” Google Group at https//groups.google.com/a/americanconsultants.com to obtain more information or to unsubscribe from the email communication.  Be advised that “stars2” is not a DLA affiliated group.

Always remain cautious of emails that arrive in your inbox that are not explicitly addressed to you.  Sometimes scammers attempt to hide their actions by addressing their targets in the “bcc” line.

Also, please be aware that the phone number in these recent bogus emails is not a DLA phone number.  In addition, the RFQ form in the email is not an official government form, nor is the signature block legitimate.

DLA’s notice about this matter can be seen here: Vendor Phishing Notice -DLA – 8 June 2018.  The notice shows copies of the bogus emails.

Bottom line: Vendors should always remain vigilant about suspicious emails, and be cautious about opening email attachments.  Questions or comments can be directed to DLA at CERTFusionCell@dla.mil.

In addition, if you ever have a question about the legitimacy of any emails having to do government contracting opportunities, especially those which solicit a fee, please feel free to contact the Georgia Tech Procurement Assistance Center (GTPAC) for advice.  GTPAC can be emailed at gtpacatl@innovate.gatech.edu.

To read previous articles about scams involving government contracting, visit http://gtpac.org/?s=scam

Filed Under: Contracting Tips Tagged With: abuse, cyberattack, cybersecurity, DLA, fraud, network services, phishing, scam, small business, spoofing

Security tips for choosing and using passwords

April 12, 2018 By Nancy Cleveland

You probably use a number of personal identification numbers (PINs), passwords, and passphrases every day: from getting money from the ATM or using your debit card in a store, to logging in to your email or into an online retailer. Keeping track of all of the number, letter, and word combinations may be frustrating at times, but you’ve seen enough news coverage to know that hackers represent a real threat to your information. Often, an attack is not specifically about your account, but about using the access to your information to launch a larger attack.

One of the best ways to protect information or physical property is to ensure that only authorized people have access to it. Verifying that those requesting access are the people they claim to be is the next step. This authentication process is more important and more difficult in the cyber world. Passwords are the most common means of authentication, but only work if they are complex and confidential. Many systems and services have been successfully breached because of insecure and inadequate passwords. Once a system is compromised, it’s open to exploitation by other unwanted sources.

How to choose good passwords

Avoid common mistakes

Most people use passwords that are based on personal information and are easy to remember. However, that also makes it easier for an attacker to crack them. Consider a four-digit PIN. Is yours a combination of the month, day, or year of your birthday? Does it contain your address or phone number? Think about how easy it is to find someone’s birthday or similar information. What about your email password—is it a word that can be found in the dictionary? If so, it may be susceptible to dictionary attacks, which attempt to guess passwords based on common words or phrases.

Although intentionally misspelling a word (“daytt” instead of “date”) may offer some protection against dictionary attacks, an even better method is to rely on a series of words and use memory techniques, or mnemonics, to help you remember how to decode it. For example, instead of the password “hoops,” use “IlTpbb” for “[I] [l]ike [T]o [p]lay [b]asket[b]all.” Using both lowercase and capital letters adds another layer of obscurity. Changing the same example used above to “Il!2pBb.” creates a password very different from any dictionary word.

Length and complexity

The National Institute of Standards and Technology (NIST) has developed specific guidelines for strong passwords. According to NIST guidance, you should  consider using the longest password or passphrase permissible (16–64 characters) when you can. For example, “Pattern2baseball#4mYmiemale!” would be a strong password because it has 28 characters. It also includes the upper and lowercase letters, numbers, and special characters. You may need to try different variations of a passphrase—some applications limit the length of passwords, some do not accept spaces or certain special characters. Avoid common phrases, famous quotations, and song lyrics.

Dos and don’ts

Once you’ve come up with a strong, memorable password it’s tempting to reuse it ­– don’t! Reusing a password, even a strong one, endangers your accounts just as much as using a weak password. If attackers guess your password, they would have access to all of your accounts. Use the following techniques to develop unique passwords for each of your accounts:

  • Do use different passwords on different systems and accounts.
  • Don’t use passwords that are based on personal information that can be easily accessed or guessed.
  • Use the longest password or passphrase permissible by each password system
  • Don’t use words that can be found in any dictionary of any language.
  • Do develop mnemonics to remember complex passwords.
  • Do consider using a password manager program to keep track of your passwords. (See more information below.)

How to protect your passwords

Now that you’ve chosen a password that’s easy for your to remember, but difficult for others to guess, you have to make sure not to leave it someplace for people to find. Writing it down and leaving it in your desk, next to your computer, or, worse, taped to your computer, is just making it easy for someone who has physical access to your office. Don’t tell anyone your passwords, and watch for attackers trying to trick you through phone calls or email messages requesting that you reveal your passwords. (See Avoiding Social Engineering and Phishing Attacks for more information.)

Programs called password managers offer the option to create randomly generated passwords for all of your accounts. You then access those strong passwords with a master password. If you use a password manager, remember to use a strong master password.

Password problems can stem from your web browsers’ ability to save passwords and your online sessions in memory. Depending on your web browsers’ settings, anyone with access to your computer may be able to discover all of your passwords and gain access to your information. Always remember to log out when you are using a public computer (at the library, an Internet cafe, or even a shared computer at your office). Avoid using public computers and public Wi-Fi to access sensitive accounts such as banking and email.

There’s no guarantee that these techniques will prevent an attacker from learning your password, but they will make it more difficult.

For more information on passwords, multi-factor authentication, and related password topics, see Supplementing Passwords.

Don’t forget security basics

  • Keep your operating system, browser, and other software up-to-date.
  • Use and maintain anti-virus software and a firewall.
  • Regularly scan your computer for spyware. (Some anti-virus programs incorporate spyware detection.)
  • Use caution with email attachments and untrusted links.
  • Watch for suspicious activity on your accounts.

Source: The National Cybersecurity and Communications Integration Center’s (NCCIC) – https://www.us-cert.gov/ncas

Filed Under: Contracting Tips Tagged With: cyber, cyber crime, cyberattack, cybersecurity, cyberthreat, DHS, password, phishing

Beware of bogus emails supposedly from state contracting offices — and other scams

July 18, 2017 By Nancy Cleveland

We’ve written about this before, and it’s time to repeat our advice:

Watch out for government contract-related scams!

Counselors from the Georgia Tech Procurement Assistance Center (GTPAC) hear from business people every week who tell us about schemes designed to take their money in return for little or nothing of value in their pursuit of government contracts.

One of the latest examples we received actually came from the purchasing office of the State of Oregon warning us to ignore a bogus email that invites vendors to update their contact information in order to receive details on upcoming contract opportunities.  By clicking on the link, vendors would actually be uploading data about their company — such as bank routing information — which would be used for exploitation.

To see our earlier warnings, read these stories:

Georgia Tech purchasing office issues fraud alert, GTPAC warns of other fraud

Bipartisan Senate bill introduced to protect small businesses from contracting fraud

FTC wants to help small businesses spot cyber scams

Beware of Affordable Care Act phishing campaign

Owner of fraudulent Florida FEMA registration firm faces 20 years

Filed Under: Contracting Tips Tagged With: abuse, cybersecurity, fraud, phishing, scam

Beware of Affordable Care Act phishing campaign

January 20, 2015 By ei2admin

The U.S. Computer Emergency Readiness Team (US-CERT) has issued an alert about a phishing campaign purporting to come from a federal government agency. The phishing emails reference the Affordable Care Act in the subject line and claim to direct users to health coverage information, but instead direct them to sites which attempt to elicit private information or install malicious code.

US-CERT encourages users to take the following measures to protect themselves:

  • Do not follow links or download attachments in unsolicited email messages.
  • Maintain up-to-date antivirus software.
  • Refer to the Avoiding Social Engineering and Phishing Attacks Security Tip for additional information on social engineering attacks.

If affected by the campaign, users should report the incident to appropriate parties within their organization and notify US-CERT.

Filed Under: Contracting Tips Tagged With: alert, anti-virus, phishing, social engineering, US-CERT

Recent Posts

  • Contractors must update EEO poster
  • SBA scorecard shows federal government continues to prioritize small business contracting
  • The risk of organizational conflicts of interest
  • The gap widens between COFC and GAO on late is late rule
  • OMB releases guidance related to small business goals

Popular Topics

8(a) abuse Army bid protest budget budget cuts certification construction contract awards contracting opportunities cybersecurity DoD DOJ False Claims Act FAR federal contracting federal contracts fraud GAO Georgia Tech government contracting government contract training government trends GSA GSA Schedule GTPAC HUBZone innovation IT Justice Dept. marketing NDAA OMB SBA SDVOSB set-aside small business small business goals spending subcontracting technology VA veteran owned business VOSB wosb

Contracting News

SBA scorecard shows federal government continues to prioritize small business contracting

OMB releases guidance related to small business goals

OMB issues guidance on impact of injunction on government contractor vaccine mandate

Changes coming to DOD’s Cybersecurity Maturity Model Certification under CMMC 2.0

Judge issues nationwide injunction halting enforcement of COVID-19 vaccine mandate

Read More

Contracting Tips

Contractors must update EEO poster

The risk of organizational conflicts of interest

The gap widens between COFC and GAO on late is late rule

Are verbal agreements good enough for government contractors?

CMMC 2.0 simplifies requirements but raises risks for government contractors

Read More

GTPAC News

VA direct access program events in 2022

Sandia National Laboratories seeks small business suppliers

Navy OSBP hosting DCAA overview (part 2) event Jan. 12, 2022

Navy OSBP hosting cybersecurity “ask me anything” event Dec. 16th

State of Georgia hosting supplier systems training on January 26, 2022

Read More

Georgia Tech News

Undergraduate enrollment growth reflects inclusive excellence

Georgia Tech delivers $4 billion in economic impact to the State of Georgia

Georgia Tech awards first round of seed grants to support team-based research

Georgia Tech announces inaugural Associate Vice President of Corporate Engagement

DoD funds Georgia Tech to enhance U.S. hypersonics capabilities

Read More

  • SAM.gov registration is free, and help with SAM is free, too
APTAC RSS Twitter GTPAC - 30th Year of Service

Copyright © 2023 · Georgia Tech - Enterprise Innovation Institute