RFQ fraud is a social engineering pattern where an attacker poses as a prospective customer requesting a quote, pricing, or product details. It exploits teams that are incentivised to respond quickly to new inbound business, turning sales responsiveness into a control weakness.
Expanded Definition
RFQ fraud is a deceptive inbound-sales tactic in which an attacker impersonates a legitimate buyer and requests pricing, product specifications, or quotation documents to build trust and extract value. In NHI security, the pattern matters because it can be used to map exposed systems, collect contact paths, and steer staff toward unsafe sharing of files, links, or account details. Definitions vary across vendors on whether RFQ fraud is treated as pure social engineering or as a precursor to broader business email compromise, but the operational risk is consistent: the request looks commercially routine while the attacker is gathering intelligence. For governance purposes, it sits at the intersection of sales process abuse, identity verification failure, and information disclosure risk. The most common misapplication is treating every inbound quote request as low-risk because it arrives through a normal business channel, which occurs when teams prioritise speed over verification.
For broader identity context, NHI programs should treat RFQ interactions as a potential trust boundary, especially when requests lead to attachments, portals, or demo access. Guidance in the NIST Cybersecurity Framework 2.0 supports this kind of risk-aware handling by tying external communications to governed access and response processes.
Examples and Use Cases
Implementing RFQ screening rigorously often introduces friction in the first response to new business, requiring organisations to weigh conversion speed against the cost of extra verification.
- A requester asks for enterprise pricing and a product comparison sheet, then uses the follow-up to push for a shared folder or portal invite that exposes internal documents.
- A fake procurement contact requests a quote and technical integration details, then repurposes the information to craft a more convincing follow-on lure for engineering or support teams.
- A sales team receives an RFQ from a company name that appears legitimate, but the sender domain is newly registered and the contact details do not match public records.
- An attacker uses the RFQ thread to request a sample API key or demo credentials under the pretext of validating a deployment path, which can expose Ultimate Guide to NHIs concerns around credential handling and account sprawl.
- A quoting workflow redirects the prospect into a self-service onboarding form, where weak validation allows an attacker to obtain access to non-human identities or downstream automation accounts.
Where formal response rules exist, teams should validate company identity, verify request legitimacy through independent channels, and avoid attaching sensitive operational details to an unconfirmed buyer. The same discipline aligns with identity and access expectations described in NIST Cybersecurity Framework 2.0.
Why It Matters in NHI Security
RFQ fraud is not just a sales problem because the attacker’s objective often extends to account discovery, trust exploitation, and access-path mapping. Once a team responds with product files, sandbox access, quote portals, or integration instructions, the attacker can learn where secrets live, which workflows are automated, and which identities are reachable through external channels. That matters in NHI security because non-human identities frequently sit behind business processes that were designed for convenience rather than assurance. NHIMG research shows that 96% of organisations store secrets outside of secrets managers in vulnerable locations including code, config files, and CI/CD tools, which means a single convincing RFQ can become the first step toward broader compromise. The same risk logic is covered in the Ultimate Guide to NHIs, where governance, visibility, and secret handling are treated as core control concerns.
When RFQ fraud succeeds, the damage often becomes visible only after a suspicious quote thread is linked to an account takeover, leaked credentials, or unauthorised access to a partner workflow, at which point RFQ fraud becomes operationally unavoidable to address.
Standards & Framework Alignment
This section maps relevant standards and security frameworks to the operational risks and controls described in this guidance.
OWASP Non-Human Identity Top 10 address the attack and risk surface, while NIST CSF 2.0 and NIST Zero Trust (SP 800-207) set the governance and control requirements practitioners need to meet.
| Framework | Control / Reference | Relevance |
|---|---|---|
| OWASP Non-Human Identity Top 10 | NHI-02 | RFQ fraud can expose secrets and access paths through unsafe response workflows. |
| NIST CSF 2.0 | PR.AC-4 | RFQ fraud exploits weak external identity validation before access or data sharing. |
| NIST Zero Trust (SP 800-207) | Zero Trust requires explicit verification even when a request arrives through a normal business channel. |
Classify quote-response workflows as trust boundaries and block secret disclosure in inbound sales handling.
Related resources from NHI Mgmt Group
- What is the difference between account takeover and new account fraud?
- Who is accountable when a SoD conflict leads to fraud or compliance failure?
- Why do conflicting access rights increase fraud risk more than broad access alone?
- Why do ecommerce AI agents complicate fraud detection and access governance?
Deepen Your Knowledge
Reviewed and updated by the NHIMG editorial team on June 27, 2026.
NHI Mgmt Group — the #1 independent authority on Non-Human Identity, IAM, and Agentic AI security. nhimg.org
