Given the rise in socially engineered Request for Quote (RFQ) campaigns, are we beginning to see similar levels of urgency and financial pressure placed on victims as we traditionally associate with Business Email Compromise (BEC), TOAD, or Squishing attacks?

Introduction

As cyber threats continue to evolve, attackers are constantly refining their tactics — not through more sophisticated code, but by mastering the art of exploiting human behavior and common business workflows. Social engineering remains a powerful weapon in their arsenal, enabling bad actors to manipulate employees into making costly mistakes. While familiar threats like Business Email Compromise (BEC), Telephone-Oriented Attack Delivery (TOAD), and Squishing attacks have long occupied the attention of security professionals, a newer, more subtle tactic is steadily gaining ground: socially engineered Request for Quote (RFQ) campaigns.

At first glance, RFQ-themed emails seem like routine procurement inquiries — a company seeking pricing details for a bulk order, a vendor requesting availability, or a buyer submitting a formal bid request. These messages often look legitimate, complete with corporate branding, specific part numbers, and professional language. But behind the polished facade lies a malicious intent: to gain the trust of the recipient, extract sensitive information, deliver malware-laced attachments, or set the stage for invoice fraud and financial theft.

What makes RFQ attacks particularly dangerous is their plausibility. Unlike generic phishing emails riddled with grammar issues or bizarre requests, these campaigns are tailored to mimic real business processes. They exploit the sense of urgency and responsiveness ingrained in sales and procurement teams — departments trained to act quickly on new business opportunities.

In this blog, we’ll break down how RFQ campaigns operate, what makes them so effective, and how they compare to other social engineering threats. Most importantly, we’ll explore whether these attacks represent the next major evolution in financially motivated cybercrime — and what organizations can do to defend against them.

How RFQ Campaigns Operate

RFQ-themed attacks are structured to blend seamlessly into the normal cadence of business communications — particularly those involving procurement, sales, or vendor management. Here’s how these attacks typically unfold:

Reconnaissance: Threat actors often begin by identifying target organizations and key personnel involved in procurement or sales. They may scrape public websites, LinkedIn, or vendor directories to gather names, job titles, and email formats.

Impersonation & Spoofing: Using lookalike domains or spoofed email addresses, attackers impersonate legitimate companies — often well-known brands or fictitious buyers — to lend credibility to their requests.

The Hook (Email): The attacker sends an email posing as a procurement officer or buyer requesting a quote on specific products or services. These emails may include detailed part numbers, quantities, or mock purchase orders to appear legitimate.

Attachment or Link Delivery: Many RFQ attacks include malicious attachments (PDFs, Excel sheets, or Word documents with macros) or links to phishing pages designed to steal credentials or initiate malware downloads.

Follow-Up & Escalation: In some cases, attackers escalate the interaction by requesting banking details, sending fake invoices, or initiating phone calls to pressure victims — blending elements of TOAD and BEC tactics.

Why RFQ Attacks Are So Effective

RFQ campaigns work because they exploit business norms and a natural sense of urgency. Unlike traditional phishing scams, these messages don’t rely on fear or alarm — they tap into opportunity and responsiveness:

Urgency Without Red Flags: Procurement inquiries often require fast turnaround. Sales teams, eager to win new business, may rush to respond without proper vetting — especially if the request appears legitimate and time-sensitive (e.g., “Please get back to me with a quote by EOD”).

Trust in Process: Many employees view quote requests as routine and non-threatening. Attackers use this familiarity to disarm recipients and bypass skepticism.

Tailored Content: RFQ emails often reference specific industries, products, or business terms relevant to the target, making them harder to distinguish from authentic inquiries.

Low Suspicion Targets: RFQ scams often target departments less trained in phishing detection — like sales, procurement, or administrative staff — who are more accustomed to external communications and less equipped to verify them.

Example: RFQ-Themed Phishing Email

From: procurement@globallogix-ltd.com
To: sales@yourcompany.com
Subject: Request for Quote – Urgent Bulk Order for HVAC Components
Date: March 4, 2025 9:42 AM EST

Dear Sales Team,

We are currently onboarding new suppliers for an urgent facility upgrade project in Q2 and came across your company via a recent vendor expo list.

Please find attached our RFQ (PDF) detailing part numbers and quantities for the following HVAC components:
– Model 2140 Thermostatic Expansion Valves
– Dual-stage Pressure Switches
– Copper Fittings (3/8″, 5/8″)

Kindly provide a quote by Tuesday, March 5, 2025 at 3:00 PM EST, as our purchasing deadline is extremely tight.

We prefer vendors who accept ACH or wire payment terms and can ship within 10 business days.

Attached: GlobalLogix_RFQ_March2025.pdf

We look forward to your prompt response.

Best regards,

Natalie Gomez
Procurement Manager
Global Logix Ltd.
procurement@globallogix-ltd.com
www.globallogix-ltd.com
+1 (312) 555-1934

What Makes This Dangerous

Professional Language & Branding: The tone, terminology, and fake domain add legitimacy.

Urgency Framing: “By Tuesday at 3 PM EST” pressures the recipient to act quickly.

Targeted Context: The request includes industry-relevant parts, implying research.

Malicious Attachment: The PDF may contain embedded malware or lead to credential theft.

How to Spot Fake RFQ Campaigns

Although RFQ-themed phishing emails are crafted to appear legitimate, there are subtle tells and inconsistencies that security-aware employees can use to spot them before damage is done. Below are key indicators to look for:

1. Domain and Email Address Inconsistencies
Check if the sender’s domain is slightly altered (e.g., globallogix-ltd.com vs. the legitimate globallogix.com).

Be cautious with free email providers (e.g., Gmail or Outlook) being used for formal procurement requests.

Hover over reply addresses and links to inspect their true destinations.

2. Suspicious Attachments or Links
PDF or Excel attachments may contain embedded malware or lead to credential phishing portals.

Unexpected RFQs that require “click to view secure content” or macros should be flagged and reported.

Never enable editing or macros unless verified through trusted channels.

3. Unusual Urgency and Pressure Tactics
“Need quote by COB today” or similar urgent phrases are common manipulation tactics.

Legitimate procurement processes rarely require such short deadlines, especially for new vendors.

4. Requests for Sensitive or Financial Data
Be wary of any RFQ that quickly pivots into asking for banking details, W-9 forms, or payment instructions.

These are often precursors to invoice fraud or BEC-style payment redirection.

5. Industry Mismatch or Contextual Errors
Review the RFQ content for mismatches with your company’s offerings (e.g., asking an IT firm for HVAC parts).

Generic language or cut-and-paste tables from unrelated industries are signs of mass-targeted attacks.

6. No Prior Contact or Business Relationship
A cold inbound RFQ from a company you’ve never engaged with should always raise flags.

Perform due diligence: verify the company, look up the contact, and check the legitimacy of the website and contact info independently.

Bonus: Technical Clues for Security Teams
Check email headers for SPF/DKIM failures or anomalies.

Investigate attachments with sandboxing tools.

Look for patterns in mail logs — similar RFQ emails sent to multiple users may indicate a widespread campaign.

How RFQ Campaigns Compare to Other Social Engineering Threats

Request for Quote (RFQ) phishing campaigns share DNA with other well-known social engineering tactics — but they also introduce new challenges that make them uniquely deceptive. Understanding how they stack up against tactics like BEC, TOAD, and Squishing attacks can help security teams prioritize detection and training efforts.

RFQ vs. Business Email Compromise (BEC)
Similarity: Both rely heavily on impersonation and trust, often targeting finance or procurement teams to manipulate payments.
Difference:

BEC attacks typically impersonate internal executives or known vendors in ongoing business conversations.

RFQ campaigns, by contrast, introduce fictitious new business opportunities, playing on eagerness to secure deals — particularly for sales or vendor onboarding personnel.

BEC attacks usually escalate over multiple emails; RFQ attacks often deliver the payload in the initial contact.

RFQ vs. TOAD (Telephone-Oriented Attack Delivery)
Similarity: Both tactics blend channels — email with follow-up via phone — to pressure and confuse victims.
Difference:

TOAD attacks rely on live human interaction to extract credentials or persuade users into installing remote access software.

RFQ scams usually keep communication asynchronous and focus on malicious attachments or phishing links.

RFQ attacks may escalate to phone contact, but typically begin and operate primarily via email.

RFQ vs. Squishing Attacks (Smishing + QR Codes)
Similarity: Both are low on technical exploitation and high on social engineering, manipulating trust and urgency.
Difference:

Squishing attacks leverage mobile devices and often use QR codes to redirect users to phishing pages.

RFQ campaigns are rooted in desktop business workflows and exploit the email attachment model, not SMS or QR tactics.

What Makes RFQ Attacks Stand Out
Business-Normal Language: Unlike most phishing lures, RFQ emails don’t rely on fear (account lockout, overdue invoices) — they appear like real business opportunities.

Departmental Blind Spots: These attacks often bypass finance and IT and target sales or vendor teams, who are less conditioned to spot threats.

First-Touch Impact: There is no back-and-forth — the first message is designed to deliver the payload, no pretexting needed.

Defending Against RFQ-Themed Social Engineering Attacks

Stopping socially engineered RFQ campaigns requires a multi-layered approach that combines technical controls, user education, and incident response preparedness. Here’s how organizations can proactively protect themselves:

1. Awareness and User Education
Train frontline teams: Sales, vendor onboarding, and procurement staff should receive targeted phishing awareness training — not just IT or finance.

Use realistic RFQ phishing simulations to test recognition and reporting.

Promote a “pause and verify” culture: employees should always double-check unexpected requests through independent channels.

2. Technical Controls
Email Security Solutions:

Leverage advanced threat protection (ATP) to scan attachments and links in real-time.

Use sender policy frameworks (SPF/DKIM/DMARC) to validate sending domains.

Attachment Sandboxing: Automatically detonate attachments in a sandbox to detect hidden malware or scripts.

URL Rewriting & Detonation: Rewrite URLs in inbound emails and inspect destination pages before delivery.

3. Incident Response Playbooks
Create specific playbooks for RFQ-style phishing, especially for teams outside of security.

Include steps for:

Quarantine and investigation of reported emails.

Communicating alerts to other potential recipients.

Engagement with legal, procurement, or vendors if data or credentials were shared.

Integrate SOAR (Security Orchestration, Automation, and Response) tools to contain similar messages across the environment when an attack is detected.

How Poole Technology Solutions Can Help
At Poole Technology Solutions, LLC, we understand that modern cyber threats don’t just target infrastructure — they target human behavior and workflow familiarity.

We offer:

Phishing Simulation and Awareness Programs tailored to sales, vendor, and procurement teams.
Email Threat Assessment to identify gaps in your mail hygiene, authentication, and attachment handling.
Custom Response Playbooks and tabletop exercises focused on modern social engineering scenarios, including RFQ attacks.
Technical Implementation of email security controls, sandboxing, and detection tools that reduce your exposure.

Whether you’re a growing business or an enterprise-level organization, we equip your teams with the awareness, tools, and response readiness to stop socially engineered threats before they cause damage.

Final call to action

As cybercriminals continue to evolve their tactics, socially engineered RFQ campaigns stand out as a growing threat that preys on trust, process familiarity, and urgency — without needing complex malware or system vulnerabilities. These attacks represent a convergence of traditional phishing and business process manipulation, often bypassing typical security training and targeting less-suspecting departments.

The key takeaway: every employee is part of the security perimeter, not just those in IT or finance. By increasing awareness, implementing strong technical controls, and having a practiced incident response playbook in place, organizations can effectively mitigate the risk of RFQ-themed attacks and other emerging social engineering threats.

Let’s Talk About Securing Your Business

Poole Technology Solutions specializes in helping organizations stay ahead of evolving cyber threats like RFQ phishing campaigns. From email threat assessments and awareness training to incident response planning, we deliver tailored cybersecurity services that strengthen your frontline defenses.

Ready to take a proactive approach?
 Contact us at info@pooletechsol.com to schedule a consultation or request an RFQ phishing risk assessment.