Global RFQ Scam Exposed: Cybercriminals Use Net Payment Terms to Steal Millions in Goods

Listen to this Post

Featured Image

The Invisible Threat Behind Routine Procurement Requests

In a shocking revelation that has sent ripples across the supply chain and cybersecurity landscape, a sophisticated Request for Quote (RFQ) scam has been uncovered by threat analysts at Proofpoint. Exploiting standard net financing terms like Net 15, Net 30, and Net 45, cybercriminals are impersonating legitimate businesses to fraudulently order high-value electronics, medical equipment, and other critical infrastructure components — all on credit. By leveraging stolen credentials and realistic documentation, these actors deceive vendors, disappear with the goods, and often ship them across borders using freight forwarders or unsuspecting third parties. The scam, though silent in operation, is expansive, organized, and now increasingly global. Here’s a deep dive into how it works, what’s at stake, and how companies can protect themselves from becoming the next victim.

Inside the Scam: Summary of the Threat Operation

Researchers from Proofpoint have exposed a widespread RFQ scam campaign targeting businesses across industries using fraudulent procurement requests. The deception hinges on the use of standard net payment terms — usually Net 15, 30, or 45 — which allow goods to be shipped before payment is due. Criminals pose as procurement agents from legitimate organizations and use real or stolen business identifiers such as Employer Identification Numbers (EINs) and DUNS numbers to bolster their credibility.

The scam starts with a professionally written RFQ email, typically requesting specialized and expensive equipment like Fluke testing devices, medical instruments, surveillance systems, or critical IT infrastructure including routers and hard drives. These emails often come from deceptive email addresses: lookalike domains or free email services like Gmail or Yahoo. Once a supplier agrees to the terms, the scammers supply falsified documents to accelerate credit approval.

Shipping addresses are deliberately concealed until the final stages of the transaction. Once revealed, they are often linked to rented warehouses, private residences, or even individuals unknowingly caught in the fraud. The delivery logistics are managed by freight forwarders — often with destinations in West African nations such as Nigeria and Ghana. In more advanced operations, threat actors rent storage facilities across the US or enlist scam victims to receive and redirect packages.

To investigate, Proofpoint analysts went undercover, engaging directly with multiple scam rings by pretending to be vendors with flexible payment policies. Their findings revealed a post-approval strategy involving urgent shipping requests, partial deliveries to avoid raising red flags, and the use of high-quality fake documents to maintain the illusion of legitimacy.

Proofpoint’s Takedown Team managed to disrupt the scam’s ecosystem by deactivating 19 malicious domains and intercepting fraudulent shipments in collaboration with shipping carriers. However, attackers adapted quickly, either abandoning compromised channels or shifting operations to newly created domains.

Organizations are urged to look out for specific red flags: unfamiliar senders demanding urgent credit-based orders, requests using free email accounts, inconsistencies in sender domains, and suspicious delivery addresses linked to residential zones or freight forwarding hubs. Proofpoint has pledged to maintain pressure on these threat actors by continuously monitoring and dismantling their operations.

What Undercode Say: Anatomy of a Cyber-Fraud That Mimics Business as Usual

Why This Scam Works So Well

The brilliance of this RFQ scam lies in its ability to mirror routine business processes. Many companies regularly engage in Net 30 or Net 45 transactions without suspicion, especially in B2B environments where long-term relationships and delayed payments are standard. Attackers exploit this trust-based structure, sneaking in through a process that typically wouldn’t raise alarm until it’s too late.

The Power of Impersonation

What makes this threat especially dangerous is the level of detail attackers incorporate into their fake identities. By using real EINs and DUNS numbers, they pass many of the basic verification checks vendors use. Add to that lookalike email domains, professionally designed RFQs, and believable supporting documents, and it’s clear that even experienced procurement officers could be fooled.

High-Value Targets with High Payouts

Rather than targeting large quantities of low-value goods, these scammers go for gold: medical imaging devices, surveillance equipment, specialized testing tools, and IT infrastructure. These items are expensive, relatively compact, and easy to resell on black markets — especially in countries where access to such equipment is limited or heavily regulated.

Logistics and the Shadow Network

Freight forwarding plays a critical role in laundering stolen goods. Once shipped, the trail becomes difficult to trace, especially if items pass through multiple intermediaries or countries with limited oversight. Renting storage units or using innocent residential addresses adds a further layer of obfuscation, allowing scammers to evade detection for longer.

Psychological and Technical Manipulation

There’s a psychological component to this scam as well. The tone of urgency — combined with professional presentation — creates pressure on the seller to act quickly, bypassing due diligence. Meanwhile, the technical side includes domain spoofing, the use of public business databases, and rapid domain switching when compromised.

Law Enforcement Blind Spots

Despite significant progress in cybercrime enforcement, jurisdictional challenges persist. Once a scam crosses international borders, especially into regions with weaker enforcement capabilities, recovering goods or tracking perpetrators becomes nearly impossible. This gives attackers a sense of impunity.

Proofpoint’s Offensive Defense

By going undercover, Proofpoint showcased how proactive engagement can yield valuable intelligence. Their success in taking down 19 domains and intercepting stolen shipments illustrates the potential for disrupting such schemes. However, it also highlighted the adaptability of the scammers, who quickly pivoted to alternative domains and methods.

The Bigger Picture: Cybercrime Meets Supply Chain

This RFQ scam isn’t an isolated event. It’s a manifestation of the increasing overlap between cybercrime and global supply chain vulnerabilities. From ransomware attacks on shipping giants to coordinated procurement frauds, cybercriminals are targeting the physical goods ecosystem with alarming precision.

Future-Proofing Procurement Processes

Organizations must reassess their procurement verification processes. Relying on traditional business identifiers or familiar-looking documents is no longer enough. Integrating multi-layered verification, regular domain monitoring, and AI-assisted fraud detection systems will be crucial in the years ahead.

Final Thought

This scam is a masterclass in social engineering, logistics manipulation, and digital disguise. As long as businesses rely on credit-based transactions and trust in paperwork, attackers will continue to exploit those cracks — unless we rethink how digital and supply chain security intersect.

🔍 Fact Checker Results

✅ The scam leverages real EINs and DUNS numbers to pass verification checks
✅ Freight forwarding and residential addresses were used to receive stolen goods

✅ Proofpoint deactivated 19 scam-related domains and intercepted shipments

📊 Prediction

Given the

References:

Reported By: www.infosecurity-magazine.com
Extra Source Hub:
https://www.twitter.com
Wikipedia
OpenAi & Undercode AI

Image Source:

Unsplash
Undercode AI DI v2

🔐JOIN OUR CYBER WORLD [ CVE News • HackMonitor • UndercodeNews ]

💬 Whatsapp | 💬 Telegram

📢 Follow UndercodeNews & Stay Tuned:

𝕏 formerly Twitter 🐦 | @ Threads | 🔗 Linkedin