8 Red Flags in a Fake RFP That Almost Cost Me 30 Hours of Unpaid Work
By Lesli Rose · April 25, 2026 · 6 min read
An inbound RFP hit my inbox last week. $46,900 budget. Three workstreams. A formal 20-page technical specification. The kind of opportunity a freelance consultant builds a quarter around.
Before I responded, I ran the email and the document through a quick verification check. Eight signals were off. I called the company directly. The owner answered the phone. She had never commissioned any RFP. Someone was using her business name to farm proposals from outside agencies.
Two minutes on the phone saved me thirty hours.
Here is the pattern, signal by signal, so the next consultant can catch it faster than I did.
The Setup
The impersonator built credibility in two steps. On day one, they submitted a vague contact-form lead through one of my websites: "SEO and some fix. Thank you." Generic. Low effort. Easy to ignore.
The next morning, an email arrived from the same person, attached to the same name and phone number, with a link to a polished 20-page Technical Specifications PDF on Google Drive. The RFP was professionally formatted. Numbered sections. Acceptance criteria tables. A KPI matrix. Multi-currency pricing. It looked real.
The two-step pattern (low-effort lead, high-polish followup) is what made me almost bite. A pure cold email with a 20-page RFP attached would have triggered my filters immediately. The lead form created the illusion of a real prospect already engaged with my business.
The 8 Signals
Any one of these alone is a yellow flag worth noting. Two or more in the same outreach is a red flag that warrants a verification call before you spend a single billable hour drafting a response.
1. Cyrillic lookalike characters in the English email body
Words like "You," "can," "website," and "Technical" in the email body had Unicode characters that look Latin but are actually Cyrillic codepoints. The Cyrillic а (U+0430) is visually identical to the Latin a but is a different character. Spammers substitute these to evade keyword-based filters. Legitimate business English does not contain mid-word Cyrillic.
Test: copy any suspicious word from the email body and paste it into a Unicode inspector. If the codepoints come back mixed Latin and Cyrillic, that is a scam signal.
2. Free email domain for a long-established company
The supposed marketer for a 22-year-old company emailed from a Gmail address rather than a company domain. Companies that have been operating for a decade or more brand their outreach through their own domain. A Gmail address for a vendor-procurement role is a strong signal that the contact is either external to the company or fabricated entirely.
3. Named contact does not appear on the company's public profile
I searched the contact's name on LinkedIn and on the company's own website. Two minutes. No trace. A real employee at a real company has a LinkedIn profile, a mention on the team page, or at minimum a Google result tying them to the business. Total absence is a strong scam signal.
4. Phone area code does not match the company's stated location
The company is in California. The contact phone number had a North Carolina area code. Possible for a remote employee, but added to the signal stack, it warrants verification.
5. RFP delivered via Google Drive instead of a company attachment
Legitimate RFPs from established companies are usually emailed as attachments from the company's domain or hosted on a procurement portal. External cloud links can install tracking, harvest authentication tokens from a logged-in browser, or serve content that gets swapped after distribution. Always download via a non-authenticated browser session if you must open them.
6. Two-step contact pattern (vague lead form, then detailed RFP)
Real procurement teams either fill out a detailed inbound form or email directly with specifics. A throwaway "SEO and some fix" lead form submission followed the next morning by a 20-page formal RFP is a manufactured-credibility pattern. The lead is the social-engineering hook; the RFP is the bait.
7. Multi-currency pricing on an RFP from a small US business
The RFP listed budgets in USD, GBP, and EUR with an exchange-rate disclaimer. Small US-domestic distributors do not bid contracts in three currencies. Multi-currency pricing originates from offshore procurement-mill templates designed to cast a global net of unsuspecting freelance vendors.
8. Third-person "Client responsibilities" language throughout
Legitimate RFPs written by the buyer's own team use first person: "We need," "Our requirements." Templated procurement-mill RFPs use third person: "Client responsibilities," "Client will coordinate." If the document refers to its own author in the third person, that author is not actually the company that supposedly sent it.
The Phone Call
I found the company's main phone number on their real website (not the number in the scam email). I dialed. The owner of the company answered. I asked: "Are you currently looking for vendors for a website optimization RFP?" She paused, then said: "No. We are not. Who told you we were?"
I told her about the email, the contact name, the RFP, the Gmail address. She thanked me, took notes, and said she would let her team know. Five minutes total.
That phone call protected me from at least 30 hours of unpaid drafting work. It also gave the real company owner intelligence she did not have a few minutes earlier. Both sides of the call walked away better off.
What Scammers Are Actually Trying to Get From You
The end goal of an RFP scam is rarely the proposal itself. The most common patterns I have seen documented:
- Intellectual-work theft. Collect detailed proposals from a dozen agencies, use the strategic thinking and pricing intel to staff their own internal project or to sell to competitors.
- Pre-payment fraud. "We selected your proposal, we will pay a deposit, just send your Wise or PayPal details." The deposit never arrives.
- Credential phishing. The Google Drive link captures Google authentication tokens or installs tracking on the browser.
- Lead extraction. The proposal you write becomes a sales asset for a competing freelance agency the scammer actually owns.
- Trust-laundering. Collected vendor proposals get used as social proof for an unrelated fraud ("these agencies are bidding on our work, we are clearly legitimate").
The Rule
If you receive an inbound RFP from a company you do not already know, verify by phone before you spend a single billable hour drafting a response. The cost of a verification call is two minutes. The cost of drafting a proposal for a scam is 20 to 40 hours of unpaid work that produces nothing.
The two-minute call wins every time.
An Unexpected Outcome
Here is the part that surprised me. By the time I called the real company to verify, I had already done a complete technical review of their website to inform the proposal I was about to draft. The work was real. The findings were real. The business was real, even though the RFP wasn't.
So I did something I have never done before. I rewrote the proposal as a real proposal, addressed to the real owner, based on what I had actually observed about her site. No obligation, no pressure, no expectation. Just: here is what I found, here is what I would do about it, here is how to start small if you want to.
The fake RFP was a waste. The work it triggered was not. Sometimes the right next step after spotting a scam is not to walk away from the company being impersonated. Sometimes it is to introduce yourself for real.
Have you received an inbound RFP that felt off?
Forward it to me and I will tell you which signals match the patterns above. No charge. I would rather see one more scam stopped than one more agency owner waste a week of unpaid work on a fake proposal.
Get a quick gut-check