Scam targets GSA schedule holders using spoofed federal email addresses

Thursday - 4/3/2014, 1:06pm EDT

Jason Miller, Executive Editor, Federal News Radio

Download mp3

The General Services Administration's schedules program has been victimized by spear phishing attacks, costing vendors more than $1.5 million. And law enforcement officials say it's increasing.

GSA alerted Schedule 70 and 75 vendors Wednesday that since July 2012 the FBI, the Environmental Protection Agency and GSA inspectors general have been investigating a series of fraudulent orders placed online to GSA vendors from criminals posing as federal contracting officials, according to an email to Schedule-70 and 75 vendors, which Federal News Radio obtained.

The hackers ordered HP printer toner cartridges using official federal employee credentials but fake email addresses, telephone numbers and stolen credit cards.

Law enforcement officials now say scammers are targeting orders for laptop computers, though it's unclear if these two cases are related. But GSA said "there are some significant similarities and we're following up on investigative leads to make further determinations."

"Over the past few months there have been orders for laptop computers (Schedule 70) wherein perpetrators have set up/attempted to set up accounts directly with vendors to procure laptop computers," GSA wrote in an email. "They are spoofing actual Department of Defense domains, and in some cases, using actual DoD members' information."

GSA's notice to vendors said law enforcement officials made one arrest so far and still are investigating other fraudulent orders.

Steps to stop the scam

GSA said scammers so far have targeted employees of the EPA, Interior Department's Fish and Wildlife Service, the Commerce Department's Census Bureau and the Department of Health and Human Services' National Institutes of Health. The email stated the list of affected government agencies grows each day.

"By calling the GSA Global Supply or vendors directly, perpetrators are placing orders for toner cartridges and laptop computers ranging from a few hundred to $20,000 using stolen credit card numbers," the email notice stated. "In at least one instance, the vendor was able to track the perpetrator in real time attempting to enter a list of stolen credit card numbers until he found one that cleared for processing. Investigators have traced the fraudulent activity going as far back as December 2011. It is growing every day."

In the email notice to vendors, GSA requests vendors take several steps to help catch the scammers and protect themselves.

"Although it is extra work, investigators are requesting that any representatives receiving orders for HP printer toner cartridges or laptop computers verify the provided shipping address using the 'street view' function on Google Maps," the email stated. "If it is a very large order going to what appears to be a residential address, it is likely fraudulent."

Law enforcement officials also are requesting vendors to preserve IP addresses used by the bad actors, and, if possible, make audio recordings of customer telephone calls in connection with these fraudulent orders, being sure to keep in mind that some states require both parties to know the call is being recorded.

"Investigators have learned the perpetrators recruited a nationwide network of 'repackagers' — people who unwitting, and have applied for 'work-from-home' positions receiving this merchandise and remailing it to destinations currently unknown," the email notice stated. "Once the order is placed, the perpetrator 'spoofs' a disconnected telephone number to call the GSA vendor and ask for shipping and tracking information. Witnesses say that the caller has a foreign accent. The perpetrator may also attempt to contact the representatives through online chats or direct phone calls."

Spear phishing fraud is new to schedule holders

Larry Allen, a long-time expert and observer of the GSA schedules and president of Allen Federal Business Partners, said this is the first time in nearly 25 years fraud like this has happened.

"Contractors clearly need to be on-guard to ensure that they are selling only to authorized schedule users," he said. "Selling at deep discounts to commercial companies can get companies in compliance trouble in some circumstances. Ironically, it appears that some people think that schedule prices are very competitive and desirable. I wonder why GSA leadership doesn't think this."

Scott Orbach, president of EZGSA, said vendors should apply the "know-your-customer" rule to schedule purchases.

"It requires a firm to use reasonable diligence in regard to opening and maintaining every account," he wrote in an email. "This includes knowing and retaining the essential facts about a customer and the authority of the persons acting on behalf of that customer."

Rick Vogel, a federal government sales manager for Coast-to-Coast Computer Products in Simi Valley, Calif., said his company has protections against fraudsters.