Attention Contractors: Advisory Notice Regarding Suspected Phishing Emails
The Department of Transportation’s (DOT) Office of the Senior Procurement Executive (OSPE) has seen a significant increase in phishing emails that are spoofing the Senior Procurement Executive’s (SPE) official government email address. The emails reported to the OSPE, by numerous federal contractors across the U.S., contain fraudulent Requests For Quotations (RFQ) where it appears that DOT is requesting pricing and delivery of commercial IT equipment (e.g. cell phones) to fictitious DOT facilities. These fraudulent RFQs look somewhat official and utilize the DOT official emblem. It also appears that the perpetrator is specifically targeting Small Businesses.
Please note that the DOT SPE does not personally issue any RFQs or solicitations. Any RFQ/Solicitation received via email from an apparent DOT source unknown to you or your company should immediately be verified for authenticity.
If you feel that you have been victimized and/or injured by a 3rd party phishing attempt, you are encouraged to contact your local law enforcement. Additionally, you should consider utilizing the Federal Bureau of Investigation’s Internet Crime Complaint Center (IC3), https://www.ic3.gov/default.aspx , to file a complaint regarding spoofed emails, similar domain names, and email intrusions.
Please see the original post below for points of contact and additional tips on dealing with suspect emails.
Original Post – Monday, 25 March 2019:
Recently, there have been several spam emails fraudulently portraying that the emails were sent by the U.S. Department of Transportation’s (DOT) Office of the Senior Procurement Executive (OSPE) or other Departmental offices. Except in limited circumstances (i.e., task order proposal requests to vendors under existing contract awards), OSPE and DOT contracting offices do not send out email Requests for Proposal (RFP), Requests for Information (RFI), Invitations for Bid (IFB) or Notices of Funding Opportunity (NOFO). DOT uses existing, secured, Governmentwide websites, such as the Contract Opportunities module in Beta.SAM.Gov , U.S. General Services Administration's eBuy or Grants.gov to publicize DOT contract or financial assistance opportunities.
If you receive an email from OSPE or another DOT contracting office that is not from a sender you recognize and/or does not seem legitimate to you, DO NOT click on any links or open any documents/attachments.
"Phishing" is the most common type of cyber-attack that affects organizations. Phishing attacks can take many forms, but they all share a common goal to fraudulently get individuals and business owners to share sensitive information such as login credentials, credit card information, or bank account details.
To avoid these phishing attacks, we recommend the following:
- Do not click on links or attachments from senders that you do not recognize. Be especially wary of PDF files, and .zip or other compressed or executable file types.
- Do not provide sensitive personal or company information (i.e., usernames and passwords, company financial information, etc.) over email.
- Watch for email senders that use suspicious or misleading domain names.
- Inspect URLs carefully to make sure they’re legitimate and not imposter sites.
- Do not try to open any shared document that you’re not expecting to receive.
- If you think that your username and password may have been stolen, please visit the Federal Trade Commission’s identity theft website at https://www.identitytheft.gov/ for information on how to respond, and contact your local law enforcement to report the theft.
If you are in receipt of what looks like a spam email from the Department, call our office to confirm the validity of the communication at (202) 366-4280, or via email at M61AcquisitionPolicy@dot.gov.