One business owner responded to a fake tender from what she thought was the Department of Health.
On 8 April 2020, the Department of Health sent out an email to businesses about a new tender for industrial sanitiser machines – specifically for the DX610M model.
According to the email, prospective suppliers had six days to respond to the bid, which closed on 14 April.
One business owner, who asked to remain anonymous, told amaBhungane that she received the email, and others it this, after listing her company on the national Treasury’s Central Supplier Database (CSD).
This database is supposed to be a “single source of key supplier information” for organs of state. After registering on the CSD businesses can then be considered for government contracts.
The business owner said that, typically, when responding to a tender, there should be sufficient generic information accompanying the description of the tender, so that individual businesses can meet almost all the requirements with their own products – in this case, a sanitiser machine.
She did a cursory investigation and concluded that the request for quotation (RFQ) seemed legitimate, and responded to it.
A day after submitting the bid, she received a call from a supply chain official, Tshepo Mokoena, congratulation her on her successful bid application. He then asked her for the batch number on the product to check whether it would meet the requirements of the South African Bureau of Standards. “This seemed weird,” the business owner said, because a batch number is only given after a product is manufactured.
Tshepo then asked her if was sourcing the sanitiser machines locally, explaining that she had a 90 percent chance of losing out on the bid if she did not do so. He promised to provide her with a list of local producers. He sent her the name and contact numbers of Sanetex Hygiene, which seemed to be the only company that could source the specific sanitiser machine for R7,500 per unit after a Google search.
To secure the bid, the business owner planned to order the machines from this company to supply the Department of Health. However, she was alarmed when she received a response from the Russian equivalent of a Gmail address, which is unusual for a South African business.
When Tshepo called the business owner the next day, she asked him about the Yandex email address. He hung up on her.
She realised, had she followed through with the tender, she would have paid fo non-existent machines for a non-existent tender form a fake Department of Health official.
Advocate Jacqueline Fick (pictured), a forensic investigator specialising in electronic fraud, told amaBhungane that because of the large ecosystem of departments connected to the database to verify supplier’s credentials, there were vulnerabilities in the system.
According to the Treasury, there are more than 500,000 listed suppliers on the website and more than 700,000 registered users. More than 800 government departments and state-owned enterprises use the database to identify suppliers and check for compliance.
The CSD website states that fraudsters “send a fictitious RFQ from what would seem to be a governmental email address and use a fake RFQ form with a logo and contact details of the contact person. These requests are usually ‘urgent’ and the whole process is concluded within a short period of time.” These were all signs that the business owner missed.