Does That RFP Smell Phishy?

phishing-attack

 

How do you know that RFP solicitation you just received is real?

You don’t, unless you know what to look for and are aware of the threat.

 

 

For clients, I monitor and evaluate RFP/RFQ opportunities from various state, federal and corporate agencies across the US and just received this message from the Maryland State Dept of Information Technology.


Subject: Message to Vendors regarding fraudulent emails

State of Maryland has been made aware of a new phishing scam that targets the community of vendors doing business with the State of Maryland. A phishing attack occurs when a fraudster tries to trick you into sharing personal information online.


 

In Todd R. Weiss’ online article “$100M Email Phishing Case Offers Lessons Learned for IT,” Neil Wynne, an IT security analyst with Gartner warns that “business email attacks have been occurring with significantly higher frequency in recent years.”

Have you received phishing email?  If your answer is no, then you don’t know what the threat looks like.  It is safe to say that EVERYONE on this planet who is Internet connected has received one of these email based IEDs (or Internet Explosive Devices as I like to call them).  So what do you do when you receive one of these?

The answer varies with your situation but there are some common actions and things to know, consider and do.  For example . . .

In it’s email warning, Maryland State Dept of Information Technology helped its existing and potential vendors/suppliers by doing two things:


First was to educate by saying:

“The scam attempts to lure vendors into taking certain actions, including visiting a fraudulent website to input personal information and/or to download malicious programs. Other messages request that the vendor remit payments and provide remittance information within the body of the message in the form of a routing and account number.

The State of Maryland does not request payment or ask its vendors to provide personal information via email.”

The second was to create a call to action with the following statement:

“If you receive an email similar to the ones below, don’t reply. You should delete the message immediately. Do not open attachments, click links contained in the email, or provide any data to the websites mentioned or linked. Refrain from remitting payment to bank account information provided.

Update your subscriptions, modify your password or email address, or stop subscriptions at any time on your Subscriber Preferences Page.”


 

Maryland State Dept of Information Technology’s approach is good! But the one BIG thing I did not like about their email warning is that it had links.  That immediately raises a red flag in my mind.

What I have more commonly seen is a statement that says something like feel free to visit the institution’s website or call if you have any questions. No links or phone numbers are provided in those messages. Given the nature of the situation, rather than rely on email links, I think it is understandable that you should use the contact information already on hand to establish any desired communications to the institution.  After all, how do you know that someone didn’t send out a fake message pretending to be the Maryland State Dept of Information Technology? Yea, yea, I know this can get real squirly. So what is the solution?

In Todd’s article we read that a key tool to fighting phishing attacks “is a secure email gateway” along with a host of other rather complicated security technology solutions.  But reliance just on technology is not the ideal solution here, especially for budget wary or non-tech savvy small businesses.   Also, I take Wynne’s statement about how “attackers are easily bypassing these traditional prevention mechanisms,” one step further to say that attackers (especially those who are well financed) will continually exploit the inherent insecurity in our Internet that was originally meant to be open to all.  For example, did you ever wonder why Microsoft is always sending out Windows security updates and patches?  Bottom line here is you need more than technology to fight this problem.

Ultimately, the solution lies not with technology alone but in combination with human beings recognizing suspicious emails and deciding what should be done.   I think Gartner’s Neil Wynne agrees when he said “ultimately, the fact remains that human beings are the most vulnerable point of any information system.”

Whatever you do, the last line of defense against phishing attacks will always be employees who must receive the latest training to help them recognize and respond to phishing attacks and encouragement to remain vigilant or else as Rob Enderle, principal analyst at research firm Enderle Group warns “over time, people tend to start thinking it will never happen to them…”

phishing-attack 2

 

So, do you know when someone is phishing for your confidential information?

Check this image to learn the signs or (if you don’t trust my links) just Google “stop phishing attacks.”

Advertisements

Use EXTREME CAUTION When Giving Gifts to Government Contract Officials and Clients

IMG_1104Here are some important words that bears repeating about gifts to government clients.  Business owners, especially new ones who have not dealt with government clients before but now want to express their honest gratitude for that first or second government contract award, should pay close attention to this warning from William Curry, a government contracting expert, trainer and author of the book- Contracting for Services in State and Local Government Agencies, Second Edition.


 

Small businesses may have established a practice of sending thank you presents to their private sector customers. They should, however, reconsider this tradition when dealing with government agencies.

While researching contracting fraud cases for my book, I came across a newspaper article with a dateline naming a city where I previously lived. Upon reading the story, I was stunned to learn that my friend’s small business owner son was going to prison for giving gifts to government officials.

Did you know that the value of gifts that can be given to federal officials is surprisingly low at $20 per gift and no more than $50 per year from the same source? The limits vary greatly between the various state and local government agencies.

You may also be surprised to learn that the FBI traditionally has jurisdiction over procurement fraud cases for state and local governments as well as for federal agencies. When it comes to investigating contracting corruption, the FBI is a formidable institution. My recommendation: Don’t give gifts of any value to your government customers.

 

Hit The Right Target! It’s Time to Reread The RFP Requirements.

Happy Holidays & Winter Solstice All!

I’ve neglected my blogging chores recently, having been busy helping a few clients respond to some state government bidding opportunities before the end of the year.  But, now I’m back and want to share with you a funny experience I had the other day while scanning through a bunch of new opportunities.  It’s literally an eye opening experience that we all should keep in mind!

Now, we all understand that knowing the Request for Proposal (RFP) stated requirements is critical to being selected.  But literally hundreds of state/federal solicitations fly across my iPad screen . . . each one begging my eyes to scan through and assess their need.  But, I don’t have time to read these requests word-for-bloody-word!

So, while speed reading through the requirements, I noted that a potential RFP opportunity is looking for a vendor to conduct SWAT training.  Now, in my head and from a halcyonic prespective, that acronym sounded like Strength, Weaknesses, Opportunity and Threats, an area where my client excels.  Ding, ding, ding, this is a slam dunk!  I can writeup a proposal for my client quickly and get ready for Christmas. Yea, buddy!

But, fortunately, the analytic geek inside of me decided to look into this further . . . slower . . . more intently.  After rereading the solicitation, and this time going all the way down the bottom of the page, it turns out the RFP solicitation actually wants someone to conduct Special Weapons & Tactics training . . . a totally different target (and client).

Lesson learned: read, re-read, then read it again!

Did you have a similar experience?

RFx Terminology – It’s Back-To-Basics

So what is your organization responding to?  Is it a RFP, RFQ, IFB . . . what’s the difference anyway and how does it affect your sales strategy?

img_0841I’ve seen these terms tossed about like multicolor balloons on New Year’s Eve!  But in the contracting world, each balloon is different.  They signal the solicitor’s varied intentions, which can affect your decision to respond to the opportunity in question.  Unfortunately, these terms are not always used consistently and can lead to confusion.

To see how other experts define RFx terminology, I did a quick Internet scan. Below is a high level summary of what I found and my personal comments on each. Take a look but don’t consider them the gospel for RFx terminology.  Instead, use this information as part of your overall research on the solicitation opportunity.  And remember, no matter what they call it, the real meanings will be found in the solicitation details such as: purpose, scope of work, instructions, terms and conditions and vendor selection criteria/process.

Request for Information (RFI) – These are open solicitations that seek broad information and understanding about a problem or requirement. RFIs are used to gather industry data, intelligence and vendor capabilities to help decide what step to take next before embarking on more formal and specific solicitations.  RFI’s are, therefore, seldom the final vendor selection stage, but instead tend to establish the beach head that paves the way for other solicitation types described below.

Bottom line here is don’t expect this to result in a contract, at least not yet.  Instead, think of the RFI as a golden opportunity to introduce your organization to the buyer and contract manager. You will most likely have to respond to another solicitation to win the contract. That’s more work but it may be worth the effort in terms of getting positive exposure and time to propose the best solution.

Request for Quotation (RFQ) is a solicitation opportunity for potential vendors/suppliers to communicate to the buyer proposed costs for a defined set of products and services. I’ve read some industry sources that say the quote you submit is not a binding offer. But I have come across RFQs that included terms and conditions that effectively bind your firm to the price you submitted and confirmed with your signature as an official person authorized to commit your firm. So read the nitty-gritty details!

An RFQ usually contains a specific detailed list or description along with related parameters of the service and or items to be acquired by the purchasing organization. Bottom line, the buyer knows what s/he wants and is most likely doing a price comparison. This is a technique sometimes used to ensure that the incumbent vendor (if there is one) doesn’t overcharge for his/her services or products. The lowest priced vendor usually prevails here.

Invitation for Bid (IFB)– Similar to a RFQ, this solicitation is a method to gather competitive pricing for a specifically defined need and the decision is generally based on price not ideas. I’ve read IFBs are used for procurements greater than $100,000 in value but not all procurement departments follow that rule. For example, we recently won a Texas IFB that totaled about $20,000.

Request for Proposal (RFP) is a solicitation sent to potential suppliers with whom a creative relationship or partnership is considered critical to success. Typically, the buyer knows what s/he wants but is not sure on the approach to get there.  So, the RFP asks competing vendors to state their proposed strategy to achieve the buyer’s goals and objectives.  This also gives the buyer an opportunity to see how their potential vendor partner thinks and to get a glimpse into how the relationship will take shape. In fact, the creativity and innovation that vendors include in their proposals can become a real competitive advantage as the buyer is looking to see if what the vendor is thinking is aligned to the buyer’s needs and organizational culture.  Prior to the RFP due date, I’ve seen and participated in a lot of back and forth with the buying organization to better understand the true intent of the buyer/contracting officer and establish a relationship.

A word of caution here, don’t simply dump boilerplate information, brochures and fancy advertisements in your RFP response to describe your approach.  This is not a high school or college lab assignment where the professor grades your paper based on its weight.   If you do, the buyer and contracting officer will probably knock points off your evaluation score . . . I would.

Having been on the receiving end of vendor RFP responses, nothing angers me more than having to wade through a ton of paper and pamphlets that do not support their approach and strategy.  Nowadays, contracting officers are putting statement into their RFP solicitations that discourages this sort of shot gun approach.  For example, a recent Florida RFP solicitation included the following discreet statement “The Department discourages lengthy Proposals.”  I even saw this statement in a California solicitation, “Due to limited storage space, the proposal package should be prepared using the least expensive method (i.e. cover page with staple in upper left-hand corner, no fancy bindings).” A major university in California went even further saying, “Elaborate bids in the form of brochures or other presentations beyond that necessary to present a complete and effective proposal are not desired.”  And for those who can’t read between the lines, that university went on to say “The bidders ability to follow the bid preparation instructions set forth in this solicitation will be considered an indicator of the bidder’s ability to follow instructions should they receive a contract award.” Get the hint?

Needless to say, if done right, RFPs take more time to: clearly define an aligned and prioritized need set; communicate that need to the competing vendors and allow them sufficient time to formulate an intelligent and innovative response; assess and select the best vendor; and conclude final negotiations.  Effective RFPs typically reflect the strategy and short/long term business objectives and provide insight upon which suppliers can use to enhance their proposals and shine brightly in the buyer’s eyes.

Request for Tender (RFT) is similar to the RFQ where the: work or commodity to be delivered is clearly defined/specified; price carries a high evaluation factor and there is not much room or need for alternative strategies or problem solving techniques. You may read that RFTs tend to be used more in the public sector but I’ve seen more solicitations labeled as RFQs than RFTs in that space.

—-

There are several more types of solicitations but we have covered the basics. Below is a list of the solicitation types I know about. Drop me a line if you find any others.

RFS – request for services
RFQ – request for quotation or request for qualifications
RFP – request for proposal
RFO – request for offers
RFN – request for negotiation
RFI – request for information
RFD – request for documentation
RFA – request for applications
ITV – invitation to vendors
ITT – invitation to tender
IFB – invitation for bids
EOI – expression of interest

img_0828