Zambia Ministry Tender Scam: mmmd-gov.com.zm Is Not Official

Daniel Zimmermann
13 Min Read
Fake government tender document revealing a look-alike email domain.
A convincing tender can copy official details while routing replies through a look-alike domain.

The email claiming to be a Zambia Ministry of Mines tender from mmmd-gov.com.zm is not an official government message. The real Ministry of Mines and Minerals Development uses mmmd.gov.zm. The look-alike sender domain, a second hidden domain inside a PDF, outdated procurement law, and an invitation that does not match Zambia’s official e-GP workflow identify this campaign as procurement impersonation.

The message offered a contract for twenty 36-inch reinforced-concrete diamond saw blades. It copied a real ministry name, address, official’s name, and fax number, so a supplier reading only the letterhead could easily mistake it for a legitimate request for proposal. This analysis separates those copied details from the parts the sender could not make consistent.

Why mmmd-gov.com.zm is fake

The most decisive check is the domain after the @ sign. The ministry’s own contact page publishes [email protected] and links to www.mmmd.gov.zm.[1] The tender email inserts a hyphen and adds com. That is a different domain under the DNS system, not a ministry subdomain.

Domain shown What it means
mmmd.gov.zm Official ministry domain published by the Zambian government
mmmd-gov.com.zm Look-alike domain used to send the analyzed tender
mmmd-gov.org.zm Second look-alike domain hidden in a PDF email link

Both look-alike domains were registered in 2026 and led to generic parked pages when checked. Their visual resemblance to the ministry address is the feature that matters: an attacker can register a separate domain and configure it to send authenticated mail while having no control over the real government domain.

Why SPF, DKIM, and DMARC passed

The message passed SPF, DKIM, and DMARC checks for mmmd-gov.com.zm. That does not authenticate the sender as the Zambia Ministry of Mines. These controls answer whether a server was authorized by the owner of the domain that sent the message; they do not decide whether that domain belongs to the organization named in the display name.

In other words, a scammer can correctly configure email security for a newly registered imitation domain. The result is a technically authenticated message from the wrong identity. This is why domain spelling remains essential even when a mail gateway shows a pass result.

Example

The private recipient details have been removed, and the sender address is obfuscated below. The structure reflects the message analyzed for this report:

Subject: Invitation To Tender — 20 Diamond Saw Blades
From: Ministry of Mines and Minerals Development
Reply-To: dr.hapenga.m.kabeta [at] mmmd-gov [dot] com [dot] zm

Urgent invitation for competitive proposals.
Please review the attached tender documents.
Closing date: 24 July 2026, 16:00 CAT

Attachments:
MMMD-ZM OPEN TENDER RFP.pdf
Republic of Zambia MMMD Open Tender Invitation.pdf
Generic email client showing a fake Zambia ministry tender invitation with two PDF attachments and a look-alike sender domain.
The tender lure uses urgency, an official display name, a short deadline, and PDF attachments to prompt a reply.

Six red flags inside the tender documents

1. A visible address opens a different fake address

One invitation visibly prints [email protected]. However, the actual hyperlink annotation embedded under that text points to [email protected]. A recipient who clicks instead of manually inspecting the link is silently routed to a second look-alike domain. Legitimate procurement documents should not make the visible contact and clickable destination disagree.

2. The documents cite superseded procurement law

The package cites Zambia’s Public Procurement Act of 2008 and the 2011 regulations as its governing authority. Zambia’s National Assembly records that the Public Procurement Act No. 8 of 2020 repealed and replaced the 2008 Act.[3] Recycled legal wording is a strong sign that the package was assembled from an old template rather than issued through a current ministry process.

3. The submission workflow does not fit current e-GP procurement

Current Zambia Public Procurement Authority listings for MMMD procurements identify the procuring entity, tender number, dates, and submission method on the official e-GP platform. A current ministry record explicitly requires online submission through e-GP.[2] The emailed package instead tries to move the supplier into direct correspondence on a newly registered non-government domain.

4. A South African municipal form appears in a Zambia ministry package

The attachments include an MBD4 “Declaration of Interest” form with questions framed for a municipality or municipal entity. MBD forms belong to South African municipal procurement. Their presence in a purported Zambian central-government invitation is a jurisdiction mismatch consistent with a document assembled from unrelated procurement templates.

5. The payment terms contradict each other

One PDF says no advance payment will be made. The other promises a 50% mobilization deposit for later orders. Those terms cannot both describe the same procurement process. The inconsistency also creates an opening for a later fraud stage: a promised deposit can be used to justify requests for bank details, “registration” charges, insurance, or a refundable processing fee.

6. Real details are mixed with false routing

The official’s name, ministry address, and fax number are not proof that the sender is genuine. Some of these details match public ministry information.[1] Copying them makes the letterhead credible while the reply path remains controlled through the look-alike domain. This is a common social-engineering pattern: accurate public facts surround one operational detail the attacker needs the recipient to trust.

Are the attached PDFs malware?

The two PDF samples analyzed here did not show an active malware payload. They contained no JavaScript, embedded files, launch actions, or interactive forms. Opening these specific samples in an updated PDF reader is therefore not evidence that the device was infected.

That finding is limited to the analyzed files. It does not make the procurement legitimate, and it does not guarantee that a later attachment will be harmless. An attacker may begin with ordinary PDFs, establish a conversation, and then send a password-protected archive, executable, remote-support tool, or link to a credential page. The Phantom Stealer RFQ campaign shows why later RFQ files require a separate malware check.

What can happen after a fake tender reply?

The message alone does not prove which follow-up the sender planned. Documented fake government RFQ schemes have progressed to counterfeit purchase orders, delivery instructions, and requests to ship goods on credit.[4] Other procurement impersonation campaigns collect company registration documents, signatures, tax details, bank information, or upfront fees.

The likely risk depends on how far the conversation went:

  • Identity and document collection: company certificates, signatures, letterhead, and employee details can support further impersonation.
  • Payment diversion: fake deposits, supplier fees, inspection charges, or changed bank instructions can turn the exchange into business email compromise.
  • Goods theft: a counterfeit purchase order may persuade a supplier to ship expensive products before payment clears.
  • Malware or credential theft: a later archive, installer, shared-document link, or remote-support request may create a technical compromise.

A similar separation between copied corporate details and attacker-controlled onboarding appears in the Flydubai vendor registration scam.

How to verify a Zambia government tender

  1. Do not use contact details from the message. Type mmmd.gov.zm yourself and use the phone number or email published there.
  2. Search Zambia’s e-GP portal independently. Confirm the procurement reference, closing date, procuring entity, submission method, and contact person.
  3. Compare the complete domain. Hyphens, inserted words such as com, and different endings create separate domains. You can also use the Gridinsoft Website Reputation Checker as a secondary check, not as a replacement for calling the agency.
  4. Ask the official procurement office to confirm the tender number and product. Send no company records until that confirmation arrives through an independently sourced channel.
  5. Verify every financial change out of band. Call a known number before accepting a deposit promise, paying a fee, changing bank details, or shipping goods.

Do not visit the look-alike domains to investigate them. Save the original email and attachments for your security or fraud team, then report the message through your mail provider. For a broader checklist, see how to spot a phishing email.

What to do now

  • You only opened the analyzed PDFs: close them, update the PDF reader, preserve the email, and monitor for follow-up. The static-file findings do not indicate an infection.
  • You replied: stop communicating, warn colleagues who may be copied, and treat any later message about the tender as untrusted.
  • You sent company documents: tell management and the security team exactly what was disclosed. Watch for new impersonation, altered invoices, supplier-account requests, and messages using your letterhead or signature.
  • You sent bank data or paid: contact the bank’s fraud department immediately, request a recall or hold, preserve all records, and report the incident to the relevant law-enforcement and procurement authorities.
  • You ran a later program, archive, or support tool: disconnect the affected device from the network, use a known-clean device to reset exposed credentials, and perform a full security scan or incident-response review.

FAQ

Is mmmd-gov.com.zm an official Zambia government domain?

No. The Ministry of Mines and Minerals Development publishes mmmd.gov.zm. The hyphenated com.zm address is a separate look-alike domain.

Can a phishing email pass SPF, DKIM, and DMARC?

Yes. Those checks can pass when the sender controls and correctly configures the imitation domain. They authenticate the sending domain, not the real-world organization claimed in the display name.

Did opening the tender PDF infect my computer?

The two analyzed PDFs showed no JavaScript, embedded files, forms, or launch actions, so simply opening those samples is not evidence of infection. Scan the device if you later ran an executable, archive, installer, macro-enabled document, or remote-support tool.

Should I reply to ask whether the tender is real?

Do not reply to the suspicious address. Contact the ministry through details obtained from its official website and confirm the procurement separately on the ZPPA e-GP portal.

References

  1. Ministry of Mines and Minerals Development, Contact Us. Official domain and public contact details.
  2. Zambia Public Procurement Authority, MMMD tender record on e-GP. Official online procurement workflow.
  3. National Assembly of Zambia, Public Procurement Act No. 8 of 2020. Replacement of the 2008 Act.
  4. U.S. General Services Administration Office of Inspector General, Fraud Alert: Fake Government Requests for Quotes. Documented fake RFQ and purchase-order pattern.
Share This Article
With a strong background in consumer safety and fraud prevention, Daniel specializes in providing actionable tips and advice to users. His focus is on helping individuals understand the risks of interacting with fraudulent sites and services
Leave a Comment

AI Assistant

Hello! 👋 How can I help you today?