Application security, Threat Management, Incident Response, TDR

Social Security Administration spoofed in phishing scam

Updated Monday, May 11, 2009 at 3:53 p.m. EST

Scammers have spoofed the Social Security Administration's (SSA) website in a phishing scam targeted at those who will be receiving an economic recovery payment this month.

Under Obama's American Recovery and Reinvestment Act signed into law in February, nearly 55 million individuals receiving Social Security, Supplemental Security Income (SSI), Railroad Retirement or veterans benefits will receive a one-time $250 economic recovery payment this month. Payments, totaling $13 billion, began going out last Thursday and will continue until June 4. 

Though some Americans are getting a break from the government, scammers are attempting to get their own payday. The SSA is warning users of a phishing scam in which users are being sent emails that contain links to what appears to be the agency's web page. At the site, users are asked to enter their personal information, including Social Security and bank-account numbers to receive stimulus checks, The Wall Street Journal reported Saturday, citing Mark Hinkle, a spokesman for the SSA.

In response to a request for more information Monday, a SSA spokeswoman referred to the Office of Inspector General (OIG), which issues advisories about Social Security scams. The OIG  has not issued an advisory about this scam.

Wade Walters, assistant inspector general for external relations at the OIG told Monday that as of today he is not aware of any scams related directly to the economic recovery payment but that individuals should be aware of the potential of this threat.

“Always be mindful that there are scam artists out there and any time the government is sending out checks or there's a new benefit there's an opportunity for thieves to take advantage of that,” Walters said.

On its website, the SSA warned individuals not to provide personal information to anyone saying they need it to process the payment. If users have identified any of these suspicious emails, they are asked to contact the OIG.

This is not the first time scammers have tried to cash in on government funds or the first government agency they have tried to impersonate.

The OIG issued an advisory last June about fake SSA sites users may have mistakenly visited believing they were applying for benefits online with SSA.

In early February, the US-CERT warned of a similar phishing scam, in which fake Internal Revenue Service (IRS) emails claimed to offer users stimulus-package payments. The messages attempted to lure users to a website and then enter personal information. The IRS does not request taxpayer information through email and said those who receive one requesting personal information should not click on any links, and delete the message immediately.

Last year, a phishing attack preyed on eager expectations of IRS refund checks, as well as the Bush administration's economic stimulus payment distribution. This emails appeared to be coming from the IRS with a subject line of "2008 Economic Stimulus Refund." The phishing message's content typically said something like: "Over 130 million Americans will receive refunds as part of President Bush's program to jumpstart the economy." Or, "Our records indicate that you are qualified to receive the 2008 Economic Stimulus Refund," or some variation.

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.