The NET RFQ scam is a sophisticated social engineering and business email compromise (BEC) campaign targeting companies that use Request for Quote (RFQ) processes combined with Net financing terms (Net 15/30/45 days). Attackers impersonate legitimate procurement agents by leveraging stolen corporate information and creating lookalike domains to appear credible. They initiate contact by requesting quotes for high-value electronics and other goods, often specifying urgent financing terms to pressure victims. Once the victim approves credit, the scammers provide shipping addresses that are often freight forwarding services or residential locations, enabling them to intercept or divert shipments. The operation is supported by a network of shipping services, warehouses, and money mules to facilitate the movement and monetization of stolen goods. Key indicators include urgent financing requests, suspicious delivery addresses, and the use of free email accounts rather than corporate emails. Mitigation efforts have included domain takedowns and interception of fraudulent shipments. The campaign exploits weaknesses in supply chain procurement processes and financial controls, combining social engineering with logistical fraud to steal physical goods rather than digital assets. This threat aligns with MITRE ATT&CK techniques such as business email compromise (T1566), supply chain compromise (T1583), domain spoofing (T1598), and use of freight forwarding (T1608). The campaign does not rely on software vulnerabilities but on procedural and human factors, making it a complex challenge for organizations relying on RFQ and Net payment terms.

For European organizations, the impact of this scam can be significant, particularly for companies involved in electronics manufacturing, distribution, and retail sectors that frequently use RFQ processes and Net financing terms. Financially, organizations may suffer direct losses from stolen goods and fraudulent payments. Operational disruptions can occur due to inventory shortages and supply chain delays. Reputational damage is also a concern, especially if customers or partners are indirectly affected by the scam. The use of lookalike domains and stolen corporate information can lead to further phishing or fraud attempts. Additionally, the complexity of the scam involving freight forwarding and money mules complicates recovery efforts and legal recourse. European companies with less mature procurement verification and shipping validation processes are particularly vulnerable. The scam also poses risks to logistics providers and freight forwarders, who may unwittingly facilitate the theft. Overall, the threat undermines trust in supply chain and financing processes, which are critical for European businesses operating in competitive markets.

European organizations should implement multi-layered controls to mitigate this threat beyond generic advice. Specific recommendations include: 1) Strengthen procurement verification by validating RFQ requests through direct known contacts rather than relying solely on email communications, especially when financing terms are requested. 2) Implement domain monitoring and alerting to detect lookalike or spoofed domains targeting the company. 3) Enforce strict controls on Net financing approvals, requiring multi-factor authentication and secondary approvals for new or unusual financing requests. 4) Validate shipping addresses rigorously, flagging freight forwarding and residential addresses for additional scrutiny, and coordinate with logistics providers to verify shipment legitimacy. 5) Educate procurement, finance, and logistics teams on the characteristics of this scam, including recognizing urgent financing requests and suspicious email origins. 6) Collaborate with law enforcement and industry groups to report and take down fraudulent domains and intercept shipments. 7) Use email authentication protocols (DMARC, SPF, DKIM) to reduce successful spoofing. 8) Conduct regular audits of RFQ and payment processes to detect anomalies. These targeted measures address the human and procedural weaknesses exploited by the scam.