Bogus government tenders appear to be targeted at businesses listed on the national treasury\u2019s Central Supplier Database (CSD) because of a suspected leak within the publicly inaccessible database.<\/p>\n
This database is, as it claims, a \u201csingle source of key supplier information\u201d for organs of state. Businesses register on the CSD and can then be considered for government contracts.<\/p>\n
One business owner, who spoke to amaBhungane on condition of anonymity, explained that she only began to receive these bogus tenders when she applied to list her company on the database. She also fell for one such tender.<\/p>\n
Click on the Evidence docket for access to the website information we used in this story.<\/em><\/strong><\/p><\/blockquote>\n
On 8 April 2020, the department of health sent out an email to businesses about a new tender for industrial sanitiser machines \u2013 specifically, for the DX610M model.<\/p>\n
Prospective suppliers had six days to respond to the bid, which closed on 14 April.<\/p>\n
Typically, when responding to a tender, there should be sufficient generic information accompanying the description of the tender, so that individual businesses can meet almost all the requirements with their own products \u2013 in this case, a sanitiser machine.<\/p>\n
The business owner did a cursory investigation and concluded that the request for quotation (RFQ) seemed legitimate. She then responded to the request.<\/p>\n
One day after submitting her bid, the business owner received a call from a supply chain official, Tshepo Mokoena. He congratulated her on her successful bid application.<\/p>\n
Mokoena then asked her for the batch number on the product to check whether it would meet the requirements of the South African Bureau of Standards. \u201cThis seemed weird,\u201d the business owner said \u2013 because a batch number is only given after a product is manufactured.<\/p>\n
He then asked her if she was sourcing the sanitiser machines locally, explaining that she had a 90% chance of losing out on the bid if she did not do so. He promised to provide her with a list of local producers.<\/p>\n
In the end, he sent her the name and contact numbers of one company: Sanetex Hygiene.<\/p>\n
Sanetex Hygiene also appeared to be the only company, after a cursory Google search<\/a>, that could source the specific DX610M sanitiser machine for R7 500 per unit.<\/p>\n
To secure her bid, the business owner planned to order the machines from Sanetex Hygiene to supply the department of health. However, she was alarmed when she received a response from the Russian equivalent of a Gmail address \u2013 an unusual email account for a South African business.<\/p>\n
Phishing: Impersonating officials and what to do about it<\/h4>\n
Government departments have warned businesses against being fooled by email scams for some time. But the economic hardship from the coronavirus lockdown has increased the number of fraudulent emails circulating online.<\/p>\n
Even the World Health Organisation<\/a> has warned the public about fake emails sent in its name. The problem with the fake emails is that cybersecurity is not a priority. According to a 2018 report from cybersecurity leader Varonis, \u201c58% of companies have over 100 000 folders open to everyone, and 41% have over 1 000 sensitive files open to everyone\u201d.<\/p>\n
This means that if one person in the corporate ecosystem lacks the necessary security and opens a dodgy email or PDF document, they could affect the company\u2019s overall security.<\/p>\n
Over the last five years, the principal at Pienaar Consulting, Maria Pienaar, has found that companies have dramatically cut their IT and security budgets, which is a problem as it opens the company to increased cyber and phishing attacks because of more gaps in their security solutions.<\/p>\n
She explained that there needed to be more public awareness and education \u201clike what the banks and cellphone networks have done with the scam alerts\u201d, \u201cCybersecurity must be a priority from the board level down, with closer collaboration with the business side, finance department and IT,\u201d she explained.<\/p>\n
Investigating cybercrime has increasingly become a priority for the police and the Specialised Commercial Crimes Unit of the Hawks, which handles cybercrime and has trained over 3 000 members between 2017 and 2019.<\/p>\n
In the 2018\/19 financial year<\/a>, the Hawks successfully investigated 104 cyber-related cases out of a total of 130 complaints \u2013 almost all of them leading to convictions.<\/p>\n
In its annual report<\/a>, the National Prosecuting Authority noted the successful conviction of an IT specialist, who pleaded guilty to two counts of fraud and was sentenced to 10 years\u2019 imprisonment, three years of which were suspended.<\/p>\n
\u201cThe accused introduced, or caused to be introduced, or loaded into the company computer system a computer software which had the capacity to allow an unauthorised person to remotely access the company\u2019s user access codes, online bank account portal and users\u2019 online banking passwords,\u201d wrote the NPA.<\/p>\n
Then, in October 2016, someone accessed the company\u2019s accounts and stole R703 079. Although there has been an increase in training received by SAPS officials, Jacqueline Fick, a forensic investigator specialising in electronic fraud, believes that more needs to be done.<\/p>\n
According to Fick, the police do not have an accurate figure of the number of cybercrime cases because \u201cvictims do not report all these instances to the police\u201d. \u201cOr,\u201d she said, \u201cwhere the victim does report the crime, the docket is not opened.<\/p>\n
For example, a complainant is sent away, with police saying it is a commercial matter.\u201d _Gemma Ritchie<\/em> [\/sidebarContentStory]<\/p>\n
When Mokoena called the business owner the next day, she asked him about the Yandex email address. He hung up on her.<\/p>\n
Had the business owner followed through with the tender, she would have paid for non-existent machines for a non-existent tender from a fake department of health official.<\/p>\n
Several business owners say they have received RFQs for products ranging from geysers and wheelchairs to the electric cables required for trains used by the Passenger Rail Agency of South Africa. Such requests might have been appropriate if the businesses specialised in these products.<\/p>\n
Advocate Jacqueline Fick, a forensic investigator specialising in electronic fraud, told amaBhungane that because of the large ecosystem of departments connected to the database to verify suppliers\u2019 credentials, there were vulnerabilities in the system.<\/p>\n
This ecosystem includes the department of home affairs, the South African Revenue Service, company registrations that appear on the database of the Companies and Intellectual Property Commission, and government employees on the public service payroll system known as Persal.<\/p>\n
Maria Pienaar, principal at Pienaar Consulting and formerly the chief information officer at Cell C, said: \u201cWhen departments in organisations are disjointed, it creates opportunities for fraud. In the case of government departments, each government department is responsible for their own budgets and how they apply these standards in the systems they implement.<\/p>\n
\u201cThis leaves gaps for cyber fraud if there are not appropriate governance measures and audits in place to ensure compliance or if budgets are not appropriately applied to alleviate these risks.\u201d<\/p>\n
When asked for comment, national treasury said: \u201cThe system was checked and proofed against phishing and hacking before the volatile situation of Covid-19. This is done frequently to ensure that possible breaches are prevented.\u201d<\/p>\n
According to the treasury, there are more than 500\u00a0000 listed suppliers on the website and more than 700\u00a0000 registered users. More than 800 government departments and state-owned enterprises use the database to identify suppliers and check for compliance.<\/p>\n
With the marked decrease in face-to-face human interaction as a result of the outbreak of the coronavirus pandemic, the opportunity for fraudsters to take advantage of business owners will rise exponentially.<\/p>\n
So, what had the business owner missed?<\/p>\n
This bid had several dodgy elements to it: the urgency of the bid; the short timeframe that businesses had to respond to it; the monopoly of suppliers for the item; and the unusual government email address: healthsupplychain-za.org.<\/p>\n
When amaBhungane called the number listed on the email for comment and explained our intentions, the operator dropped the call.<\/p>\n
According to the CSD<\/a> website, fraudsters \u201csend a fictitious RFQ from what would seem to be a governmental email address and use a fake RFQ form with a logo and contact details of the contact person. These requests are usually \u2018urgent\u2019 and the whole process is concluded within a short period of time.\u201d<\/p>\n
In 2016, the department of health<\/a> complained of a high number of scammers using the following emails:<\/p>\n
\u2022 <\/span>@gautenghealth-gov.org.za
\n\u2022 <\/span>treasury-gov.org.za
\n\u2022 <\/span>ghd@gautenghealth-gov.org.za
\n\u2022 <\/span>mphumalang-gov.org.za
\n\u2022 <\/span>NDOH@nationalhealth
\n\u2022 <\/span>@dh.gov.co.za
\n\u2022 <\/span>gov.org.za
\n\u2022 <\/span>tebogomambolo@healths-gov.org.za
\n\u2022 <\/span>tenders@doh.za.orgdoh<\/p>\nThe official national department of health\u2019s emails end with \u201c@health.gov.za\u201d.<\/p>\n
To top it all, Sanetex Hygiene was not registered with the companies\u2019 registrar and its website was created a day before lockdown<\/a> was implemented. When amaBhungane phoned the business to ask about its company registration, the operator dropped the call.<\/p>\n
Sanetex Hygiene\u2019s website has since been taken down after the businesswoman reported it to its domain registry, but you can see a cached version of it here<\/a>, and a screenshot of the website here<\/a>.<\/p>\n
In August last year, the treasury advertised a tender for the maintenance of the database and awarded the contract to local IT firm Gijima for three years, starting from 1 April 2020. The contract is valued at over R42 million.<\/p>\n
According to the tender document, Gijima will not only be expected manage the database and prevent the duplication of suppliers, but in terms of cybersecurity, it will also be required to implement standardised electronic verification of supplier information to reduce fraud.<\/p>\n
In the meantime, the treasury has said that the key to avoid being scammed is for businesses to \u201creduce the number of sectors and commodities they register for, so that they recall these when the scam RFQ reaches them, that they are not registered for this particular item or commodity.<\/p>\n
Like this story? Be an amaB Supporter<\/a> <\/span>to help us do more. Sign up for our newsletter<\/a><\/span> to get more.<\/em><\/p>\n
\u201c[Businesses need to] make sure they do not deviate from the services or commodities they registered for on the CSD, as most [business owners] who fall for scams do.<\/p>\n
\u201c[They need to] be familiar with the institutions they do business with, and their mandates, amongst others. [They need to] protect their company information when sharing in what they refer to [as] \u2018networking sessions\u2019.\u201d<\/p>\n