You’ve got mail! And it could be a scam.
The Better Business Bureau (BBB) says fake malicious emails are circulating right now that target small businesses. The emails purport to contain an RFP (Request for Proposal). That’s usually an easy hook to get a small business to open the email. After all, it could mean more business.
That’s exactly the mindset scammers are reportedly banking on with this round of attacks.
How the Fake RFP Emails Scam Works
The BBB says that the subject line of these scam emails is typically ‘RFP Proposal‘ or similar language.
The email will invite recipients to download an attached RFP. The RFP in the email looks legit, according to the alert from BBB. “The RFP has details about the project and uses a company or government agency name.”
After downloading and reviewing the RFP, the scam could play out in three different ways:
You’re directed to another site and asked to enter private data on that site;
You’re directed to another site and asked to download a file that will expose information stored on your computer;
Or you’re asked to provide banking information for payments
Spot the Scam
The BBB suggests that spotting a fake email like the one used in this RFP scam is rather simple. It requires only vigilance and a dose of skepticism.
First, be suspicious of an email like this out of the blue. Even things like a legit-looking sender email, official logos and other hallmarks of a professional email are not proof the RFP is real.
Call the sender, the BBB advises. If you can’t get the sender on the phone — ever — then it’s likely a scam. Expect to hear the phrase “They’re out of the country,” or something similar, the agency warns.
Since many of these fake RFPs are made to look like government requests or from other businesses, check the web to see if they’re posted anywhere else. If you don’t see it, call the agency behind the supposed RFP and confirm that it’s real.
The fake RFPs generally lack a lot of detail. This alone, plus the fact the RFP seems to have arrived with no prior contact or notification should be more than enough to make you suspicious.