live chat

Bad bid: Malicious actors target government contractors

By: Stu Sjouwerman 


IT personnel working the trenches in the fight against malicious emails know that financial transactions — and the various documents that support and accompany those transactions — provide malicious actors seemingly endless fodder for clever phishing attacks designed to separate legitimate organizations from their money and reputations, as well as their customers, clients, and partners.

Indeed, fake invoices, RFQs, POs, ACH documents, and remittance forms collectively constitute the “social engineering” backbone of innumerable phishing campaigns. And hapless employees keep falling for them, clicking through malicious links and opening malware-laden attachments — often with nary a thought to the potential consequences — bringing malicious actors and their sophisticated malware inside their employers’ networks.

Over the past few months we have observed the increasing use of yet another type of transaction-based social engineering scheme designed to hook companies dependent on government contracts: the invitation to bid. In what follows, we’ll take a look at a number of actual phishing emails reported to us by customers using the Phish Alert Button (PAB).

The Evolution of the Fake Bid Phish

Fake bid invitations have been around for a while, to be sure. In many respects, they are a natural variation of the fake RFQ, which leverages a targeted organization’s search for new business to dupe its employees into opening the digital door to security breaches, costly down time, and financial mayhem.

Going Large

Governments tend to be large, sprawling organizations. Apparently, the phishing emails targeting private contractors who bid for government projects have to be just as big, just as byzantine, and just as bureaucratic. Or so it would seem from the steady stream of fake “invitation to bid” phishing emails we’ve been tracking over the past 4-6 months.



Even if you’re not in the government contracting business, this kind of phishing campaign ought to make you sit up in your chair. If nothing else, it clearly demonstrates the lengths to which malicious actors will go to wangle something as simple — and potentially destructive — as a set of login credentials from your users and employees. The bad guys are just that determined, just that disciplined.

It should also serve as a warning that the days of counseling users to spot phishing emails by looking for grammar, spelling, and syntax errors are long gone. Your users won’t help you keep the bad guys out by becoming grammar nazis. And that training session you did last year in the break room with a box of doughnuts and a PowerPoint deck will forever be a distant, foggy memory.

What your employees need is New-school Security Awareness Training, which teaches them what to look for and regularly tests their mettle against simulated phishing emails based on the latest phishing campaigns actually out there “in the wild.” And the “wild” we speak of is not something scary “out there,” lurking just beyond the tall trees of your firewall. It’s in your users’ inboxes right now, today, and each and every day.


The link to this article can be found at It includes the examples of bad bids that are out there.