SMS Blog

Ordering Fraud: The Other Side of the Supply Chain

By Ben Friedman, Vice President, Strategic Sourcing, SMS

Overview
Discussions of supply chain management are everywhere these days. Our interconnected world increasingly relies on the outputs of a multitude of companies located all over the world. Nothing makes this clearer than the shortages of medical supplies, basic commodities, and even food due to the COVID-19 pandemic. We have all seen first-hand how complex supply chains can both provide value and bring substantial risk, with sometimes cheaper products but a higher degree of supply chain disruption in a time of crisis. Lost in these discussions is the other side of the supply chain: the customer, the organization, or individual buying your product. This is particularly important in the IT industry.

Selling to the Wrong Customer
Monitoring the sell-side of your transactions is every bit as important as monitoring the buy-side of your transactions. Increasingly sophisticated fraud in the IT space has now begun to impact public institutions including hospitals, universities, and even government agencies. Criminals pose as legitimate buyers (sometimes using actual employee names easily found on Linkedin) from large institutions and request pricing for high-demand IT components. Once you have engaged with a fraudulent buyer you may actually be directed to the accounting department of the actual organization (if a commercial client) to establish credit terms, or you may be given a stolen credit card as payment. The scam has to happen quickly for the criminal to succeed so they almost always will want to buy off-the-shelf products. This fraud can have the following impacts to your company:

  • Theft. Much of this fraud actually results in outright theft. And you the seller are left with an unpaid invoice or reversed charges on a fraudulent credit card charge.
  • Undermining of traditional markets and encouragement of the Gray and Black Markets. Every fraudulent sale made means that there is more stolen material to be had in the marketplace, negatively impacting the sale of legitimate products.
  • Damage to reputation. Any investigation of an incident ultimately will involve your suppliers and the customer which the criminal impersonated. This is not the kind of press your company needs.
  • Financial support of criminal or antisocial enterprises. Groups participating in this type of fraud are more sophisticated and organized than you might think. They can even be tied to organized crime, and terrorist organizations.

What Should You Look for to Prevent Selling to Fraudulent Customers?

  • Requests for commercially resalable items (for example: iPhones, hard drives, inexpensive routers, and toner cartridges)
  • Requests from an email address from a webmail account that does not match the company name
  • Requests from companies or individuals with no past business history with your organization that imply a sense of urgency
  • Request that contain no quantities
  • Requests from customers that do not know your name
  • Requests that immediately ask for “net terms”
  • Requests inquiring if you would ship overseas
  • Requests from a company that already resells the items they are asking to buy. As odd as this seems it does happen.
  • Requests where there is no contact phone number
  • Post order changes to terms, credit card information, or shipping location
  • Your accounting department receives requests for credit checks from companies with no known business relationship. In this case someone may be trying to impersonate your company.

Example of a Fraudulent Request
The case below is a real example of an attempt to defraud. At first glance the email and attachment seem legitimate, but upon closer inspection it becomes clear this is fraud.

email example redacted 002
RFQ example Redacted 002

Questions You Should Be Asking About This Request

  • Do you know this customer? How do they know you?
  • What is the domain of the email address? I have redacted the email address, but if you are suspicious of the domain you should check your organization’s security policy on handling suspected phishing attempts.
  • The request is for items that have consumer value and high resale value. Does that seem typical?
  • The request is asking for “unlocked phones”. Would the Government ever request this? Maybe, but it is a warning sign nevertheless.
  • Would the Chief Acquisition Officer really be putting out an RFQ for 55 cell phones? Very unlikely. A request like this would come from an acquisition specialist or a contracting officer.
  • Does the RFP look like a regular government RFP? Is this how you normally receive RFPs from this customer?
  • Does the logo look right? If you look closely you can see that it was clearly cut and pasted from the agency website and perhaps resized.

SMS and Supply Chain Management
SMS takes supply chain management seriously and recently became one of fewer than 3 dozen companies worldwide certified under the ISO/IEC 20243:2018 /Open Trusted Technology Provider Standard (O-TTPS). This standard is a set of industry best practices designed to reduce the risk of acquiring tainted or counterfeit IT products. SMS took the additional step of implementing training, procedures and systems designed to prevent fraudulent customer sales to do our part in ensuring that tainted products do not originate from SMS. Ultimately ensuring that the supply chain is secure on both the buy-side and the sell-side is critical in reducing the amount of overall IT fraud.