SAM Scams: Protect Your Company

Recently, there has been a significant increase in scams targeting users of the System for Award Management (SAM.gov).  Active SAM registrations are required for federal government contractors, including to receive contracts and payments.  The non-public portions of these registrations include bank account information, tax information, and other sensitive information about a company.  Recent phishing scams and efforts to gain access to registrations indicate sophisticated actors are attempting to manipulate SAM registrations, possibly for access to payments from the government, among other reasons.  Company SAM registration Administrators should protect the company’s SAM registration from unauthorized access to the greatest extent possible.

Scams and Access Efforts

The recent scams are specifically designed to deceive SAM.gov users, often through emails meant to appear as though they are generated by the General Services Administration (GSA) Federal Service Desk to gain information about a company registration or user account in connection with an expiring or in-process registration.  Other emails may take the form of requests for individual user access to registrations that appear to be employee requests that are sent through the SAM system itself. 

In the case of legitimate requests for individual user access, the SAM Administrator will see a request for access to a company registration when they log into their SAM account.  If the SAM Administrator does not specifically know the individual and recognize the email address requesting access to the company registration and/or was not expecting a request for access, the Administrator should inquire internally with the company (not responding or communicating with the requester) to determine if the request is legitimate.  SAM Administrators should deny such requests for access if they cannot be verified.  Access can always be granted later if deemed appropriate and, while access can also be revoked, damage can occur quickly if improper access is granted.

 

SAM Registration ("registration")	SAM Registration Legal Entity (and physical address) fully registered in SAM.gov with a Unique Entity Identifier (UEI), CAGE Code, and representations and certifications in SAM.
SAM Account ("account")	An individual user’s email and password that grants the individual access into the SAM system.  Registrations are linked to accounts.

Potential Risks and Consequences

Falling victim to these scams or illegitimate attempts to access SAM registrations can have severe consequences for businesses and individuals.  A company’s account information may be compromised or even changed such that the company does not receive payments it is due.  Representations and certifications could be modified, placing the company’s ability to receive contracts at risk.  The registration also could be entirely deleted, which would halt payments, prevent receipt of contracts and modifications, and take significant resources and time to resolve.

Preventative Measures

Implementing preventative measures can significantly reduce the risk of falling victim to these scams.  Best practices for SAM Administrators and SAM-registered companies include:

• SAM-registered companies should have at least two approved SAM Administrators.
• SAM Administrators should carefully review any emails from SAM or the GSA reporting on changes, updates, or other activity in SAM and in the company registration. SAM Administrators should understand why any SAM or GSA communications are being received and know whether any reported changes are authorized.
• SAM Administrators reviewing SAM and GSA emails should not click on links until they have reviewed the entire email and checked the "From" address on the email to ensure the email is legitimate, and consider bypassing links to confirm changes directly in their SAM accounts.
• SAM Administrators should set up two multifactor authentication methods for Login.gov (i.e., enable a second authentication method beyond the required primary authentication method).
• SAM Administrators should not share their passwords or one-time passwords/tokens with others inside or outside of the organization by e-mail, phone, or otherwise.
• SAM Administrators should not approve any access (as administrator, data entry, or otherwise) to a company registration unless the SAM Administrator knows the individual to whom access is being given and knows the reason for granting access.
• SAM Administrators should review and update registration users and promptly remove access when individuals no longer require access to the registration (e.g., employees that have left the company or whose new roles do not require access to the registration).
• SAM-registered companies should ensure IT departments have strict protocols for granting access to SAM Administrator email accounts, phone numbers, or other personal information.

If there are any questions about the authenticity of GSA or SAM-generated emails or about other communications received relating to a company registration, businesses may consider contacting the Federal Service Desk.