The General Services Administration’s schedules program has been victimized by spear phishing attacks, costing vendors more than $1.5 million. And law enforcement officials say it’s increasing.
GSA alerted Schedule 70 and 75 vendors Wednesday that since July 2012 the FBI, the Environmental Protection Agency and GSA inspectors general have been investigating a series of fraudulent orders placed online to GSA vendors from criminals posing as federal contracting officials, according to an email to Schedule-70 and 75 vendors, which Federal News Radio obtained.
The hackers ordered HP printer toner cartridges using official federal employee credentials but fake email addresses, telephone numbers and stolen credit cards.
Law enforcement officials now say scammers are targeting orders for laptop computers, though it’s unclear if these two cases are related. But GSA said “there are some significant similarities and we’re following up on investigative leads to make further determinations.”
“Over the past few months there have been orders for laptop computers (Schedule 70) wherein perpetrators have set up/attempted to set up accounts directly with vendors to procure laptop computers,” GSA wrote in an email. “They are spoofing actual Department of Defense domains, and in some cases, using actual DoD members’ information.”
GSA’s notice to vendors said law enforcement officials made one arrest so far and still are investigating other fraudulent orders.
Steps to stop the scam
GSA said scammers so far have targeted employees of the EPA, Interior Department’s Fish and Wildlife Service, the Commerce Department’s Census Bureau and the Department of Health and Human Services’ National Institutes of Health. The email stated the list of affected government agencies grows each day.
“By calling the GSA Global Supply or vendors directly, perpetrators are placing orders for toner cartridges and laptop computers ranging from a few hundred to $20,000 using stolen credit card numbers,” the email notice stated. “In at least one instance, the vendor was able to track the perpetrator in real time attempting to enter a list of stolen credit card numbers until he found one that cleared for processing. Investigators have traced the fraudulent activity going as far back as December 2011. It is growing every day.”
In the email notice to vendors, GSA requests vendors take several steps to help catch the scammers and protect themselves.
“Although it is extra work, investigators are requesting that any representatives receiving orders for HP printer toner cartridges or laptop computers verify the provided shipping address using the ‘street view’ function on Google Maps,” the email stated. “If it is a very large order going to what appears to be a residential address, it is likely fraudulent.”
Law enforcement officials also are requesting vendors to preserve IP addresses used by the bad actors, and, if possible, make audio recordings of customer telephone calls in connection with these fraudulent orders, being sure to keep in mind that some states require both parties to know the call is being recorded.
“Investigators have learned the perpetrators recruited a nationwide network of ‘repackagers’ — people who unwitting, and have applied for ‘work-from-home’ positions receiving this merchandise and remailing it to destinations currently unknown,” the email notice stated. “Once the order is placed, the perpetrator ‘spoofs’ a disconnected telephone number to call the GSA vendor and ask for shipping and tracking information. Witnesses say that the caller has a foreign accent. The perpetrator may also attempt to contact the representatives through online chats or direct phone calls.”
Spear phishing fraud is new to schedule holders
Larry Allen, a long-time expert and observer of the GSA schedules and president of Allen Federal Business Partners, said this is the first time in nearly 25 years fraud like this has happened.
“Contractors clearly need to be on-guard to ensure that they are selling only to authorized schedule users,” he said. “Selling at deep discounts to commercial companies can get companies in compliance trouble in some circumstances. Ironically, it appears that some people think that schedule prices are very competitive and desirable. I wonder why GSA leadership doesn’t think this.”
Scott Orbach, president of EZGSA, said vendors should apply the “know-your-customer” rule to schedule purchases.
“It requires a firm to use reasonable diligence in regard to opening and maintaining every account,” he wrote in an email. “This includes knowing and retaining the essential facts about a customer and the authority of the persons acting on behalf of that customer.”
Rick Vogel, a federal government sales manager for Coast-to-Coast Computer Products in Simi Valley, Calif., said his company has protections against fraudsters.
“We verify every order by calling the government end user,” he said. “If the order is coming through the GSA Advantage system, it’s pre-verified.”
Vogel said he has more concerns about possible scams trying to buy laptops.
“Generally, laptops aren’t purchased through GSA Advantage, as most agencies do enterprise buys and we are aware of them in advance,” he said. “And if I started getting a bunch of credit card orders for laptops, I’d question it.”
Orbach said there are several warning signs vendors should be aware of:
Customers who have never purchased from you in the past;
Shipments to new or unusual addresses;
Unusually large quantities or high value orders;
Declined credit cards and/or offer of multiple card numbers.
Spear phishing attacks against GSA schedule holders like this may be new, but in years past, contractors say there have been successful schemes where bad actors stole the identity of government contracting officers and bilked companies for more than $100,000 of laptops and other computer products.
Vogel said he’s a little disappointed that GSA is just alerting Coast-to-Coast Computers Product now, nearly 18 months after the investigation started.
“As a contractor, I would have appreciated a notice as soon as they figured it out,” he said. “Maybe there are some law enforcement issues that delayed telling us. But maybe threshold for notification could be for those companies with at least $1 million a year in sales, or something like that.”
An email to GSA seeking comment on the fraud and steps they are taking to protect vendors was not immediately returned.