You are Such a Hack

Have you been hacked lately? If you're wondering, you probably have!

There isn't an industry that can escape the unnerving increase in widespread hacks. From financial and infrastructure, to home appliances, healthcare, and national defense. Everyone is getting scammed these days. They come from every angle, and tactics continue to adapt to trick even the most tech-savvy users. Hackers are targeting the federal industrial base and federal agencies alike at an alarmingly increasing rate.

Just recently, a personal experience highlighted the issue. An email was received from a prime contractor that a client had worked with. It was a request for a quote on a large contract held by the Department of Veterans Affairs, a contract the client had pursued. The email was scrutinized, and the email address was checked to ensure it aligned with the company's format. It appeared legitimate. The email was forwarded to the client, who responded that they were unable to access the attachment and asked if there were any issues with the email. It was suggested that the client reach out to the prime to ensure the legitimacy of the request. It's unclear yet whether the request was legitimate. At the time of writing, input and answers have yet to be received from the prime contractor who supposedly sent it.

These types of situations are becoming more common. Bid opportunities are being sent out to contractors with fraudulent requests for quotes or, in some cases, requesting that contractors provide information to update one of the many government portals they’re registered in. These types of scams are becoming harder to detect, which makes completely avoiding them more difficult. Over the years, several examples of suspicious emails proclaiming to come directly from government contracting officers or government procurement sites have been seen. In some recent examples of these types of scams working, contractors have been tricked into providing sensitive information or even making payments to fraudulent accounts.

The U.S Department of Labor appeared to send out emails to contractors that invited them to bid on DOL projects. The emails were fake and designed to steal account credentials. They included attached PDF documents that looked legitimate and directed recipients to a malicious website mimicking the real DOL site to harvest login information. Similarly, the General Services Administration (GSA) has warned about scammers using spoofed email addresses to solicit fraudulent RFQs for electronic equipment. These emails often use email addresses that mimic legitimate government domains like gsa.gov and are hard to distinguish from the real thing.

Phishing campaigns targeting U.S. government contractors aren’t new, and it is undoubtedly unnerving to receive an email that appears to be from a trusted customer but is instead impersonating them. These nefarious actors send well-crafted emails that appear to request bids for government projects but are seeking to steal Microsoft 360 credentials or other sensitive data to access accounts further. Phishing emails like these often bypass secure email gateways and use logos, consistent formatting, and detailed instructions to increase their legitimacy.

Attacks on government entities aren’t the only ones getting attention. Academic institutions are dealing with the challenge as well. Reports of colleges inadvertently misdirecting funds to criminal accounts rather than the correct contractor are common in a quick google search. Critical infrastructure has also taken the scam scandal spotlight recently. Most American adults likely remember the time the colonial pipeline hack rocked the East Coast. People were seen filling anything they could with gasoline just to be able to continue to go about daily life as usual.

So, if these are such good fakes, how are you supposed to sus them out?

In addition to being compliant with the applicable cybersecurity regulations that are included with or imposed by your contract, every contractor and provider should also have robust cybersecurity measures in place to ensure scams aren’t carried forward. Contractors should also look out for the following signs related to fraudulent bid activities in emails.

1.?????? Be suspicious of unexpected bid requests from organizations you've never worked with before, especially if they are unsolicited. Independently verify the opportunity.

2.?????? Hover over any links before clicking to see if the URL matches the expected destination. Don't click links to unfamiliar sites.

3.?????? Don't open unexpected attachments, which could contain malware. Legitimate RFPs are often sent via secure portals, not as email attachments.

4.?????? Be cautious of bids that request sensitive information upfront like bank account numbers to set up payment. Provide this only after verifying the legitimacy of the bid.

5.?????? Watch for unrealistic deadlines or pressure to respond urgently. Scammers often use false urgency to get you to act without properly vetting the opportunity.

6.?????? If you're unsure, contact the issuing organization directly using contact info from their official website, not info provided in the suspicious email.

7.?????? Establish clear processes for handling unsolicited bid opportunities to avoid falling victim to costly scams targeting contractors

It’s incumbent upon contractors to ensure employees are trained and educated on the warning signs of phishing emails. The increasing sophistication of cyber threats requires constant vigilance and proactive measures on behalf of contractors to effectively manage. While staying ahead of the game is challenging, contractors can manage the threat of cyber-attacks by understanding the nature of phishing scams, recognizing red flags, and implementing robust security measures.