What Is an RFQ (Request for Quote) Scam?

What is an RFQ scam, and how can it be used to harm your business? An RFQ scam, or request for quote scam, combines high and low tech to avoid standard anti-phishing detection methods. In fact, 81 percent of organizations worldwide still experience email phishing attacks, despite the widespread use of native email security.

As cyber threats become more sophisticated, they typically rely much more on social engineering (psychological manipulation to trick people into divulging confidential information) than just technology. This is why learning how to identify email scams is crucial in safeguarding your organization from the risks associated with an increasingly digital world.

Today, RFQ scams continue to grow in popularity as targets are more likely to open attachments, click links, or share sensitive information. In this blog, we’ll take a close look at how RFQ scams work and what you can do to protect yourself.

What is an RFQ Scam?

Unlike a request for proposal (RFP) scam, a request for quotation (RFQ) scam is a form of vendor email compromise that impersonates a quote request from a legitimate organization. In an RFQ scam, a fraudster sends a request to order products or asks for a quote by attaching a purchase order as a .pdf document to an email.

In some cases, scammers impersonate government agencies or federal employees to increase validity and trust in the emails.

Attackers commonly use a throwaway email address that looks similar to an external business; however, the domain will be different and registered to a fake account, usually a day before sending the email. In some RFQ fraud schemes, the name and email will be legitimate, but the Reply-To address will contain slight differences and connect directly to the attacker.

RFQ vs. RFP: What’s the Difference?

As stated, an RFQ is a request for a quote, while an RFP is a request for a proposal.

An RFQ assumes that products and services are already known, and the price is the primary factor. In contrast, an RFP is used to compare vendors and services in determining appropriate solutions. In some cases, a client will send only an RFQ if they want to make a simple purchase instead of prepare for an extended buying process. In other situations, a client might send an RFQ with an RFP so they can have a complete picture before making a decision.

Attackers find it easier to take advantage of RFQs’ simple process and launch threats that capitalize on quick decisions.

How Does an RFQ Attack Work?

Unlike many other phishing attacks, the attachment in an RFQ scam rarely uses malware or malicious links as the main attack vehicle. Instead, the scam attempts to harvest the target’s financial information, such as banking details, via email or over the phone.

Additionally, the scammer will try to convince the target into sending the order immediately with promises of payment upon delivery. Unfortunately, in these cases the payment is never completed and the scammer will sell the now stolen goods on the black market.

Like most email scams, an RFQ scam evokes a sense of urgency by requesting an immediate shipment or order fulfillment. As a result, there is a higher chance that targets fall into the ‘act now, think later’ mentality and are more likely to fall for the scam instead of questioning the request’s legitimacy.

3 Telltale Signs of an RFQ Scam

Know these key indicators to help spot an RFQ scam.

1. Mismatched email address and phone number

Because an RFQ scam attempts to appear like it’s from a legitimate client or vendor, it can be hard to differentiate a scam from an actual request for a quote. One reliable way to identify an RFQ scam is to check the email address and phone number included in the email.

To verify if the email is legitimate, look up the business’s contact public record separately and check this information against what is present within the email. You can also follow up with the business by contacting them directly through their official website or phone number, not via the information or links provided in the email.

2. Email domain registered is not consistent with the impersonated party

Many scammers will create a fake domain that appears similar to a legitimate business, with some minor changes. For example, if they want to pose as an international organization, they might include a country abbreviation in the domain name itself, such as “apple-us.com.” However, most multinational companies use the actual suffix of the country, such as .us or .jp.

To get past standard email authentication like SPF, DKIM, and DMARC, scammers will create an actual domain just for that RFQ scam. Because the domain is so new, it presents a zero-day vulnerability. This means that because the domain has not been seen before, it will not appear in any threat intelligence feeds, which many legacy email security tools use as reference.

3. Email design and address flaws

In an attempt to convey authenticity, scammers will often include “official” company logos in their invoice design layouts that don’t exactly replicate legitimate invoices. In addition, they BCC all recipients rather than addressing an email to a specific person as a “spray and pray” tactic. If even one person responds, the attacker will create a legitimate looking RFQ in order to trick the target into sharing financial information or other sensitive data

Protect Your Company Against RFQ Scams With Armorblox

As the business world continues to digitize, we can expect more types of vendor email compromise scams to pop up. However, with the right email security tools in place, you can protect your organization and human workforce from RFQ scams and other emerging threats.

Armorblox is designed to prevent today’s advanced business email compromise attacks, from vendor email compromise to credential phishing. Our advanced algorithms analyze thousands of data points to quickly identify and stop the most sophisticated email threats, before they cause harm.

To learn more about Armorblox, take a quick product tour below.