Georgia Tech Procurement Assistance Center

Bad bid: Malicious actors target government contractors

By

IT personnel working the trenches in the fight against malicious emails know that financial transactions — and the various documents that support and accompany those transactions — provide malicious actors seemingly endless fodder for clever phishing attacks designed to separate legitimate organizations from their money and reputations, as well as their customers, clients, and partners.

Indeed, fake invoices, RFQs, POs, ACH documents, and remittance forms collectively constitute the “social engineering” backbone of innumerable phishing campaigns.  And hapless employees keep falling for them, clicking through malicious links and opening malware-laden attachments — often with nary a thought to the potential consequences — bringing malicious actors and their sophisticated malware inside their employers’ networks.

Over the past few months we have observed the increasing use of yet another type of transaction-based social engineering scheme designed to hook companies dependent on government contracts: the invitation to bid.  In what follows, we’ll take a look at a number of actual phishing emails reported to us by customers using the Phish Alert Button (PAB).

Continue reading at:  SC Magazine

FinCEN reports spike in email scams

By

The Financial Crimes Enforcement Network (“FinCEN”) issued an advisory and trend analysis alerting financial institutions to a recent surge in business email compromise (“BEC”) incidents, as reported in suspicious activity reports.  According to FinCEN, these reported attacks climbed from 500 per month in 2016 to over 1,100 per month in 2018, with attempted BEC thefts increasing from $110 million per month in 2016 to $301 million monthly in 2018.

According to the advisory and analysis, a BEC scam typically involves a cyber criminal emailing false invoices or payment instructions to an individual or business while impersonating a supervisor, vendor or other legitimate third party.  Once payment is made, the proceeds are fraudulently directed to a criminal-controlled account.  Sometimes the emails originate from hacked accounts, while at other times, they are made to appear as communications from trusted sources.  Victims can include businesses, government agencies, universities and non-profits, often those that make frequent wire transfers.  Most BEC incidents reportedly involve transfers to domestic accounts in the United States, likely controlled by “money mules.”

Continue reading at:  Mondaq.com

OIG: Beware of fraud ring scamming equipment by posing as federal buyers

By

A transnational fraud ring is specifically targeting America’s federal procurement offices and vendors, according to an alert the Homeland Security Department’s Office of Inspector General issued this week.

Last July, the OIG discovered that members of a ring based in Atlanta, Georgia had posed as a Homeland Security procurement official to get their hands on computer equipment supplied by private vendors.  Diving deeper into the case, the IG found that the fraudsters were also stealing electronic equipment from other agencies including but not limited to the Commerce, Defense, Labor, Justice and Transportation departments.

“Some of the purchase orders identified were for hundreds of thousands of dollars each,” the OIG said.

In their scheme, the phony actors find federal government solicitations for equipment such as hard drives or smartphones, and send fraudulent requests for quotations to federal vendors from across the nation.  Though the RFQs use the legitimate names of procurement officials, the schemers use their own phone and fax numbers and they are also known to spoof government agency email addresses, using domain names such as “rrb-gov.us.”

Continue reading at:  Nextgov

Email scam netted $3 million worth of top-secret US military equipment

By

Recently released Court documents show that con artists convinced a U.S. Defense Contractor to send them millions of dollars worth of sensitive military equipment.  The equipment was so top-secret that “even a photograph [is] considered controlled.”

The “highly sensitive communications interception equipment” was valued at $3.2 million.  The manufacturer is identified in legal documents only as “Company B,” and is located in Maryland.  The scammers acquired the military equipment by posing as a Navy Contracting Officer named “Daniel Drunz” and sent fake purchase orders to acquire the top-secret technology.

Continue reading the:  Court Documents

Suspicious contract activity proliferates — watch out!

By

The Georgia Tech Procurement Assistance Center (GTPAC) continues to become aware of apparent contracting scams designed to trick unsuspecting vendors to deliver products for which they will receive no payment.

(You can view a compendium of articles about previously-identified scams at: https://gtpac.org/?s=scam.)

The latest example that’s come to our attention involves an email sent to vendors asking for a quote on some computer equipment.  The email is supposedly from a contracting representative with the Securities and Exchange Commission.

Vendors are asked to quote on name-brand portable hard drives and two brands of laptop computers.  The solicitation document appears to be a version of the federal Standard Form 1449.  But there are several suspicious elements associated with the solicitation:

  • While the email purportedly is from the SEC’s headquarters, the document indicates that the SEC office is in Germany.
  • Place of delivery is not listed.
  • The solicitation is pre-signed by the contracting officer.
  • The solicitation number is not consistent with standard numbering.
  • The phone number provided could be a cell phone number.

We have seen suspicious documents like this before.  What can result is that a vendor will respond with pricing.  Then, the scam artist will respond by saying that the quote has been accepted and directing that the products be shipped to a particular address.  After that, all communication ceases.  The vendor is cheated out of products (plus the cost of shipping), and receives no payment.

Be alert to scams like this.  If you receive something that looks suspicious, call it to our attention.  We’ll help you figure out what to do.

In doubt? Check with GTPAC!

By

Your team at the Georgia Tech Procurement Assistance Center (GTPAC) stands ready to offer you advice about any aspect of government contracting — especially when you have any doubt about the legitimacy of a contract-related service or solicitation.

We’ve published many articles before about government contracting scams (click here to see previous articles), and once again we want to bring another one to your attention.

Just a few days ago, a GTPAC client contacted one of our Counselors and asked about the legitimacy of a request for a quotation he received, supposedly from the Dept. of Defense (DoD).  Once we examined the email and the attachment that our client sent us, we told him to run — not walk — away from it!

Here Are the Details

The email was purportedly from a DoD official soliciting a quote for some laptops and computer drives.

We examined the email and its attachment, including the following:

  • We called the phone number in the email which was answered by a person who didn’t identify himself.  When we asked questions, he said that he’d have the person identified in the email call us back with details.  No one called back.
  • We checked the identity of the person who supposedly sent the email.  The email’s Quote form identified him as Deputy Director for Procurement at AT&L.   We determined that, in reality, he is DoD’s Deputy Director for Earned Value Management.  AT&L (Acquisition, Technology and Logistics) is a unit within DoD that no longer exists; it’s been reorganized into two groups: research and engineering (R&E) and acquisition and sustainment (A&S).  (See details of that reorganization by clicking here.)
  • We also identified the DoD official’s real email address and his actual phone number; they were not the email address or phone number shown in the email and on the Quote form that was sent to our client.
  • We noted that the federal solicitation number shown on the Quote form was not in the correct format, and the Quote form itself was not a form we have ever seen before.
  • The wording of the email was sloppy and unprofessionally prepared.

Based on the above, we advised our client to not respond because we believe this is a probable scam which will lead to an order to ship the products to a bogus shipping address, for which payment will never be received.  We also alerted the appropriate DoD officials of this probable scam.

What You Should Do

It’s as simple as 1-2-3.

  1. Stay alert to possible scams involving government contracting.  There are many scams in circulation literally every day.
  2. Don’t let the temptation of landing a sale overtake your common sense.  If it looks like easy money, it’s probably bogus.
  3. Whenever you are in doubt, contact GTPAC for advice.  We’ll be happy to check things out for you and provide you with our opinion.  It’s as simple as forwarding anything suspicious to us at: gtpacatl@innovate.gatech.edu.

Remember, the GTPAC team is here to help you succeed in the government marketplace!

P.S.:  If your business is located outside the state of Georgia, you can find a procurement technical assistance center (PTAC) by clicking here.

 

Scam Alert: Malicious e-mail spoofs being sent to vendors

By

The Defense Logistics Agency (DLA) is reporting that a fake solicitation is being sent to vendors in the form of a Request for Quotation (RFQ).

The fake email solicitation, purporting to be from DLA, has been targeting GSA STARS II vendors.

The emails are not from DLA.mil.  Instead, they are coming from a “Reply-To” address ending in @dla-mil.us, which is not a government address.

In some cases, “stars2@american consultants.com” has been identified to supposedly send messages on behalf of a DLA Contract Specialist — these are also fake.

Some of the bogus emails suggest that vendors use the “stars2” Google Group at https//groups.google.com/a/americanconsultants.com to obtain more information or to unsubscribe from the email communication.  Be advised that “stars2” is not a DLA affiliated group.

Always remain cautious of emails that arrive in your inbox that are not explicitly addressed to you.  Sometimes scammers attempt to hide their actions by addressing their targets in the “bcc” line.

Also, please be aware that the phone number in these recent bogus emails is not a DLA phone number.  In addition, the RFQ form in the email is not an official government form, nor is the signature block legitimate.

DLA’s notice about this matter can be seen here: Vendor Phishing Notice -DLA – 8 June 2018.  The notice shows copies of the bogus emails.

Bottom line: Vendors should always remain vigilant about suspicious emails, and be cautious about opening email attachments.  Questions or comments can be directed to DLA at CERTFusionCell@dla.mil.

In addition, if you ever have a question about the legitimacy of any emails having to do government contracting opportunities, especially those which solicit a fee, please feel free to contact the Georgia Tech Procurement Assistance Center (GTPAC) for advice.  GTPAC can be emailed at gtpacatl@innovate.gatech.edu.

To read previous articles about scams involving government contracting, visit http://gtpac.org/?s=scam

Security tips for choosing and using passwords

By

You probably use a number of personal identification numbers (PINs), passwords, and passphrases every day: from getting money from the ATM or using your debit card in a store, to logging in to your email or into an online retailer. Keeping track of all of the number, letter, and word combinations may be frustrating at times, but you’ve seen enough news coverage to know that hackers represent a real threat to your information. Often, an attack is not specifically about your account, but about using the access to your information to launch a larger attack.

One of the best ways to protect information or physical property is to ensure that only authorized people have access to it. Verifying that those requesting access are the people they claim to be is the next step. This authentication process is more important and more difficult in the cyber world. Passwords are the most common means of authentication, but only work if they are complex and confidential. Many systems and services have been successfully breached because of insecure and inadequate passwords. Once a system is compromised, it’s open to exploitation by other unwanted sources.

How to choose good passwords

Avoid common mistakes

Most people use passwords that are based on personal information and are easy to remember. However, that also makes it easier for an attacker to crack them. Consider a four-digit PIN. Is yours a combination of the month, day, or year of your birthday? Does it contain your address or phone number? Think about how easy it is to find someone’s birthday or similar information. What about your email password—is it a word that can be found in the dictionary? If so, it may be susceptible to dictionary attacks, which attempt to guess passwords based on common words or phrases.

Although intentionally misspelling a word (“daytt” instead of “date”) may offer some protection against dictionary attacks, an even better method is to rely on a series of words and use memory techniques, or mnemonics, to help you remember how to decode it. For example, instead of the password “hoops,” use “IlTpbb” for “[I] [l]ike [T]o [p]lay [b]asket[b]all.” Using both lowercase and capital letters adds another layer of obscurity. Changing the same example used above to “Il!2pBb.” creates a password very different from any dictionary word.

Length and complexity

The National Institute of Standards and Technology (NIST) has developed specific guidelines for strong passwords. According to NIST guidance, you should  consider using the longest password or passphrase permissible (16–64 characters) when you can. For example, “Pattern2baseball#4mYmiemale!” would be a strong password because it has 28 characters. It also includes the upper and lowercase letters, numbers, and special characters. You may need to try different variations of a passphrase—some applications limit the length of passwords, some do not accept spaces or certain special characters. Avoid common phrases, famous quotations, and song lyrics.

Dos and don’ts

Once you’ve come up with a strong, memorable password it’s tempting to reuse it ­– don’t! Reusing a password, even a strong one, endangers your accounts just as much as using a weak password. If attackers guess your password, they would have access to all of your accounts. Use the following techniques to develop unique passwords for each of your accounts:

  • Do use different passwords on different systems and accounts.
  • Don’t use passwords that are based on personal information that can be easily accessed or guessed.
  • Use the longest password or passphrase permissible by each password system
  • Don’t use words that can be found in any dictionary of any language.
  • Do develop mnemonics to remember complex passwords.
  • Do consider using a password manager program to keep track of your passwords. (See more information below.)

How to protect your passwords

Now that you’ve chosen a password that’s easy for your to remember, but difficult for others to guess, you have to make sure not to leave it someplace for people to find. Writing it down and leaving it in your desk, next to your computer, or, worse, taped to your computer, is just making it easy for someone who has physical access to your office. Don’t tell anyone your passwords, and watch for attackers trying to trick you through phone calls or email messages requesting that you reveal your passwords. (See Avoiding Social Engineering and Phishing Attacks for more information.)

Programs called password managers offer the option to create randomly generated passwords for all of your accounts. You then access those strong passwords with a master password. If you use a password manager, remember to use a strong master password.

Password problems can stem from your web browsers’ ability to save passwords and your online sessions in memory. Depending on your web browsers’ settings, anyone with access to your computer may be able to discover all of your passwords and gain access to your information. Always remember to log out when you are using a public computer (at the library, an Internet cafe, or even a shared computer at your office). Avoid using public computers and public Wi-Fi to access sensitive accounts such as banking and email.

There’s no guarantee that these techniques will prevent an attacker from learning your password, but they will make it more difficult.

For more information on passwords, multi-factor authentication, and related password topics, see Supplementing Passwords.

Don’t forget security basics

  • Keep your operating system, browser, and other software up-to-date.
  • Use and maintain anti-virus software and a firewall.
  • Regularly scan your computer for spyware. (Some anti-virus programs incorporate spyware detection.)
  • Use caution with email attachments and untrusted links.
  • Watch for suspicious activity on your accounts.

Source: The National Cybersecurity and Communications Integration Center’s (NCCIC) – https://www.us-cert.gov/ncas

Beware of bogus emails supposedly from state contracting offices — and other scams

By

We’ve written about this before, and it’s time to repeat our advice:

Watch out for government contract-related scams!

Counselors from the Georgia Tech Procurement Assistance Center (GTPAC) hear from business people every week who tell us about schemes designed to take their money in return for little or nothing of value in their pursuit of government contracts.

One of the latest examples we received actually came from the purchasing office of the State of Oregon warning us to ignore a bogus email that invites vendors to update their contact information in order to receive details on upcoming contract opportunities.  By clicking on the link, vendors would actually be uploading data about their company — such as bank routing information — which would be used for exploitation.

To see our earlier warnings, read these stories:

Georgia Tech purchasing office issues fraud alert, GTPAC warns of other fraud

Bipartisan Senate bill introduced to protect small businesses from contracting fraud

FTC wants to help small businesses spot cyber scams

Beware of Affordable Care Act phishing campaign

Owner of fraudulent Florida FEMA registration firm faces 20 years

Beware of Affordable Care Act phishing campaign

By

The U.S. Computer Emergency Readiness Team (US-CERT) has issued an alert about a phishing campaign purporting to come from a federal government agency. The phishing emails reference the Affordable Care Act in the subject line and claim to direct users to health coverage information, but instead direct them to sites which attempt to elicit private information or install malicious code.

US-CERT encourages users to take the following measures to protect themselves:

  • Do not follow links or download attachments in unsolicited email messages.
  • Maintain up-to-date antivirus software.
  • Refer to the Avoiding Social Engineering and Phishing Attacks Security Tip for additional information on social engineering attacks.

If affected by the campaign, users should report the incident to appropriate parties within their organization and notify US-CERT.

Contracting News

Read More

Contracting Tips

Read More

GTPAC News

Read More

Georgia Tech News

Read More