An RFQ scam uses both high and low tech to bypass your standard anti-phishing detection methods when a scammer is pretending to request a quote.  Hence the name request for quote scam. And, despite the widespread use of native email security, 81 percent of organizations worldwide still experience email phishing attacks

To scam your business threat actors are becoming more sophisticated in their attempts by using social engineering. In other words, these actors use psychological manipulation to trick you into divulging your confidential information rather than just relying on technology. As a result, to help protect you and safeguard your organization, we feel it is important to learn how to spot email scams, especially in this age of digitalisation.

Above all, RFQ scams are growing in their popularity because as people we fall for the manipulative tricks and click links, share sensitive information, and open attachments. So, we believe education is key to overcoming this issue.

What can do to protect yourself?  Firstly, we’ll look at how RFQ scams work.

What is an RFQ Scam?

A RFQ scam is a form of vendor email compromise that impersonates a quote request from a legitimate organization, but different to an RFP – request for proposal scam. So, the RFQ scam is where a fraudster pretends to be from a legitimate company and asks to order or a quote for products and attaches a .pdf document to the email.

Scammers can impersonate all types of different business including government agencies and federal employees to make out they are valid and can be trusted.

Firstly, when these threat actors start, they may use a throwaway email address. This email looks very similar to the external impersonated business they pretend to be from, but the domain will be different and registered to a fake account. However, in some of these schemes the RFQ name and email address will be legitimate. The key difference is the Reply-To address which isn’t legitimate. It will contain slight variations and connects to the attacker directly.

RFQ vs. RFP: What’s the Difference?

As we mentioned earlier an RFQ is different to an RFP. You might ask what’s the difference?RFP is a request for a proposal and used to compare vendors and services in determining appropriate solutions. Whereas an RFQ assumes that products and services are already known, the client is wanting to simply make a purchase and just needs to decide on the price. In contrast RFP has more of an extended buying process. But in some situation a client may want a RFQ with an RFP to make a decision and needs a complete picture both the quote and the proposal.

In other words, attackers prefer RFQ because they are a quick sale rather than a drawn-out process. And they can launch their threats and capitalise on the simple process and quick decisions of RFQ.

How Does an RFQ Attack Work?

In their attachments, RFQ scams rarely use malware or malicious links as the main attack vehicle, unlike many other phishing attacks. On the other hand, they prefer to scam the targets sensitive information like bank details over the phone or email.

Secondly, the scammer will want goods urgently with the promise of payment on delivery. As they pretend to be a legitimate business, they try to convince the target to send the order. If they are successful, the payments never arrive, and the scammer can sell the goods on the black market.

In addition, like many other scams RFQ creates a sense of panic and urgency to fulfill the order and ship the goods. Therefore, it’s more likely to be successful as people are less likely to question the legitimacy and “act now” falling victim to the attacker’s request for urgent action.

3 Tell-tale Signs of an RFQ Scam

The 3 key indicators to help spot an RFQ scam.

1. Mismatched email address and phone number

Often it can be hard to spot the fake because RFQ scams appear to be legitimate and from a legitimate client or vendor. To identify an RFQ scam, one reliable way to spot the fake is to firstly double check the email and phone number in the email. Is it legitimate? To verify the legitimacy of the phone number and email address check on the business’s contact public record separately and compare it with what was presented in the email.

Secondly, follow up with the business and ask them directly via their official website or phone number. Do not ask via the email you were sent or click on any links that were provided.

2. Email domain registered is not consistent with the impersonated party

With only minor changes many scammers create a fake domain that is like the legitimate business they are impersonating. For example, the scammer might include a country abbreviation in the domain name itself, such as “” if they want to pose as an international organization. But most multinational companies use the actual suffix of the country, such as .us or .jp.

The scammers will create an actual domain just for that RFQ scam because it presents a zero-day vulnerability, as it is so new. And it gets past the standard email authentication like SPF, DKIM, and DMARC. In other words, it will not appear in any threat intelligence feeds, which many legacy email security tools use as reference because it has never been seen before.

3. Email design and address flaws

Scammers will often include “official” company logos in their invoice design layouts that don’t exactly replicate legitimate invoices, in their attempt to appear legitimate. Meanwhile as a “spray and pray” tactic they’ll BCC all recipients rather than addressing an email to a specific person. If someone takes the bait and responds, to trick the target into sharing financial information or other sensitive data the attacker will create a legitimate looking RFQ.

Protect Your Company Against RFQ Scams with Armorblox

We can expect more types of vendor email compromise scams to pop up, as the business world continues to digitize.  But the good news is you can protect your organization and human workforce from RFQ scams and other emerging threats with the right email security tools in place.

From vendor email compromise to credential phishing, Armorblox is designed to prevent today’s advanced business email compromise attacks.

To stop even the most sophisticated email threats.

Want insights like this in your mailbox? Join our monthly mailing list

How can we make your business better with IT?