Scam Alert – Fake DCS RFQ for “ATV600E Wool Blankets

Here’s the **

## **Scam Alert – Fake DCS RFQ for “ATV600E Wool Blankets”**

This report details a fraudulent procurement request distributed under the name of the **Department of Correctional Services (DCS)**, allegedly sent by “Alice Nkosi” from the email address **[Alice.Nkosi@dcs.gov.za](mailto:Alice.Nkosi@dcs.gov.za)**.

While the domain **@dcs.gov.za** may appear legitimate at first glance, the email itself shows multiple indicators of a **spoofing attack** or **compromised mailbox scam**, where cybercriminals forge or hack real government addresses to trick suppliers into delivering goods to fraudulent locations.

The fake RFQ in this case concerns the “High-Priority” supply of **ATV600E wool blankets** — a common type of item targeted in DCS procurement scams.

---

### **Summary of the RFQ**

The fraudulent message includes:

* **Claimed Sender:** Alice Nkosi

* **Claimed Department:** Department of Correctional Services (DCS)

* **Email Address:** [Alice.Nkosi@dcs.gov.za](mailto:Alice.Nkosi@dcs.gov.za)

* **Message Subject:** HIGH-PRIORITY DCS SUPPLY OF ATV600E WOOL BLANKETS Needed

* **Product:** ATV600E wool blankets (quantity unspecified in initial message)

* **Urgency:** Marketed as “high-priority” with short submission deadlines

The content typically urges suppliers to submit a quotation immediately, often implying that failure to respond quickly may result in losing the opportunity.

---

### **How the Scam Works**

This case follows the same **procurement diversion scam** pattern seen in multiple other DCS fake RFQs:

1. **Initial RFQ Distribution**

   The scammer emails numerous suppliers, using either a spoofed government domain or a hacked mailbox, to give the illusion of legitimacy.

2. **Quotation Collection**

   The scammer requests quotes for common goods like blankets, uniforms, or food supplies — items easy to resell.

3. **Fake Purchase Order Issuance**

   Once a supplier responds, a forged DCS purchase order is issued. It will look authentic, using copied letterheads and reference numbers.

4. **Delivery Address Diversion**

   The PO specifies delivery to a location controlled by the scammer (warehouse, private address, or unmarked facility), not an official DCS site.

5. **Goods Collection and Disappearance**

   After the goods are delivered, the scammer collects them, resells them, and disappears without payment.

In some variations, scammers may request an upfront “vendor registration fee” to be paid before the order is processed.

---

### **Why the Email Address Is Tricky**

Unlike scams using obviously fake domains like **@dcs-govbids.online**, this one uses **@dcs.gov.za**, which is the genuine DCS domain.

That raises two possibilities:

* **Spoofed Header:** The email looks like it came from [Alice.Nkosi@dcs.gov.za](mailto:Alice.Nkosi@dcs.gov.za), but the underlying mail server and sending IP are from a different source.

* **Compromised Account:** A real DCS mailbox was hacked and is being used to send out scam RFQs.

In both cases, the presence of the correct domain name does **not** confirm authenticity.

---

### **Red Flags in This Case**

* **Unsolicited Request**

  The RFQ was sent without the supplier having registered on an official DCS supplier database.

* **High Urgency**

  The “high-priority” label is designed to rush the recipient into acting without proper checks.

* **Common Resale Item**

  Wool blankets are easy to sell for cash, making them attractive to scammers.

* **Delivery Address Mismatch**

  In similar scams, the delivery location is not an official DCS facility listed on their website.

* **No Tender Listing**

  The RFQ number or request is not listed on the official eTender portal or DCS procurement notices.

---

### **Risks to Suppliers**

* **Loss of Stock** — Blankets delivered to a scam address will not be paid for.

* **Financial Loss** — Any upfront fees paid will be unrecoverable.

* **Data Breach** — Company documents and pricing could be reused for further scams.

* **Reputation Damage** — Association with a fraudulent transaction can harm trust with legitimate government buyers.

---

### **How to Verify This RFQ**

1. **Check the eTender Portal**

   Search for the RFQ number or product description at **[www.etenders.gov.za](http://www.etenders.gov.za)**.

2. **Confirm with DCS Procurement**

   Call the DCS supply chain department using the official number on **[www.dcs.gov.za](http://www.dcs.gov.za)** — do not use the number in the suspicious email.

3. **Inspect the Delivery Location**

   Verify that the address provided in the PO is an official DCS correctional centre or warehouse.

4. **Check Email Header Data**

   If possible, review the “Received from” IP address in the email header to confirm it originates from a government mail server.

5. **Refuse Any Prepayment Requests**

   Legitimate tenders do not require suppliers to pay any fees before orders are processed.

---

### **Recommendations**

If you receive this RFQ or one like it:

* **Do not send a quotation or goods** until legitimacy is confirmed.

* **Report the email** to DCS IT security and the **SAPS Commercial Crimes Unit**.

* **Warn your supplier network** to prevent further victims.

* **Keep copies** of all correspondence for investigative purposes.

---

The **HIGH-PRIORITY DCS SUPPLY OF ATV600E WOOL BLANKETS** RFQ sent from **[Alice.Nkosi@dcs.gov.za](mailto:Alice.Nkosi@dcs.gov.za)** is highly suspicious and fits the profile of an **RFQ procurement scam**.

Even though the domain looks official, the risks of email spoofing and account compromise make it essential to verify every request through official channels before committing resources.

Suppliers should remain cautious, confirm all details directly with the department, and avoid rushing into transactions based solely on email instructions.