Purchase order fraud occurs when a scammer contacts a vendor and impersonates a legitimate customer. While posing as the representative of a legitimate organization, the scammer requests a quote and orders large quantities of a product, such as flash drives or mugs. The vendor ships the product to the fake company and bills the legitimate institution. Unfortunately, by this time the fraud is discovered too late and the vendor must absorb the lost purchase.
From time to time, vendors caught in these scams will report that someone has been impersonating Fordham University. The signs would be obvious to a Fordham employee, but could trick a vendor:
- The email sender does not use an official @fordham.edu email address or uses a spoofed mailing address.
- Email correspondence has poor grammar, spelling, and sentence structure.
- The caller or sender is claiming to be an employee no longer associated with the University.
- Descriptions are sparse and demand all items without the logo of the organization.
- Phone numbers in the email are not associated with the University.
- The payment method has changed without prior notification. For example, suddenly switching from physical checks to electronic payment.
- The shipping address on the purchase order is not Fordham University’s address or property associated with Fordham.
- It is recommended to cross-reference previously noted information on past orders to point out suspicious discrepancies.
As Fordham IT can only monitor email addresses and users within our domain, we cannot detect or prevent this activity.
If your department has been contacted by a vendor reporting this kind of activity, this is the appropriate response:
We understand that your company has been targeted by a fraudulent company issuing a request for quotation under the false pretense of being a part of Fordham University. Please note that Fordham University is in no way associated with this request. We request that your IT department report this email to a spam reporting or blacklisting service such as the Anti-Phishing Working Group: