A sophisticated and widespread Request for Quote (RFQ) scam using net financing terms has been uncovered by threat researchers.
The scam targets businesses with fake procurement requests to fraudulently obtain high-value electronics, medical devices and other goods.
According to an advisory published by Proofpoint on Monday, the scam relies on the use of common net payment options, such as Net 15, 30 or 45 days, to request goods on credit.
Posing as legitimate procurement agents from real companies, attackers use stolen or publicly available data, including employer identification numbers (EINs) and DUNS numbers, to support fraudulent financing applications.
The tactic begins with a seemingly routine RFQ email, often sent from lookalike domains or free email accounts. These messages typically list specialized, high-demand items such as:
If the target agrees to the terms, the scammers provide supporting business documentation to speed up the credit approval. Shipping addresses are often withheld until approval, as attackers coordinate with mules or freight forwarders, many of which specialize in shipments to West African nations like Nigeria and Ghana.
Read more on freight forwarding and cybercrime: US Shipping Giant Loses $7.5m in Ransomware Attack
In some cases, threat actors rent warehouses across the US or use residential addresses to receive stolen shipments. These addresses may belong to unsuspecting individuals, willing accomplices or scam victims turned intermediaries.
Direct Engagement and Mitigation Steps
To understand the attack chain, Proofpoint researchers directly engaged with multiple scam clusters by posing as suppliers with lenient finance policies. Their findings revealed a clear post-approval process that included expedited shipping requests, partial order deliveries and the use of fake documents to facilitate the fraud.
Proofpoint’s Takedown Team disrupted the scam’s infrastructure by deactivating 19 malicious domains and intercepting fraudulent packages through coordination with US shipping companies.
In many cases, actors either abandoned conversations or quickly switched to new domains to continue their schemes.
Organizations can reduce risk by staying alert to these red flags:
-
Urgent requests for net financing from unfamiliar senders
-
Shipping to residential addresses or freight forwarding companies
-
Use of free email services to pose as established companies
-
Mismatched sender domains or suspicious domain names
Proofpoint said it will continue to monitor these threats and collaborate with partners to identify, block and neutralize malicious operations tied to RFQ scams.
