And yes, as we predicted, there are now phishing attacks that mimic Office of Personnel Management (OPM) data breach notifications. The breach has expanded to millions more records. It now looks like 14 million -- and who knows how many more -- have been exfiltrated to China. Anyone who works for the government or has worked for it in the past must now worry about scammers trying to capitalize on the data that was stolen.
We are talking about current and former federal employees, people that recently applied for federal jobs, several types of industry contractors and -- because of the highly detailed Standard Form 86 used for security clearances -- a wide swath of applicants' family members, friends and acquaintances.
A June 30 alert from the U.S. Computer Emergency Readiness Team stated: "US-CERT is aware of suspicious domain names that may be used in phishing campaigns masquerading as official communication from the Office of Personnel Management (OPM) or the identity protection firm CSID. US-CERT recommends that users visit the OPM website for more information. Users are also encouraged to read US-CERT's guidance on avoiding social engineering and phishing attacks and report suspicious emails.
I'd send an email out to all employees, and give them a heads-up about this potential threat they need to watch out for. As part of your security awareness training program, here is a link to a free job-aid that you (or they) can download, print and pin on the wall of their cubicle. It shows the 22 Social Engineering Red Flags that you need to watch out for in emails:
If your organization still uses old school user education, it might be time to look at effective awareness training which combines on-demand web-based interactive training with frequent simulated phishing attacks. Find out how affordable this is for your organization and be pleasantly surprised: