Bad guys are abusing the Social Security Administration's (SSA) online service called My SocialSecurity Account in two ways:
- A phishing scam which encourages employees to create an account, where your user enters all their confidential information at the scammer's site, leaving them open to ID theft and social engineering attacks with that data and infect their workstation either in the office or the house.
- The scammers set up My Social Security Accounts on behalf of people, and change the account to direct the benefits checks to a bank account they control.
Basically, this "My Social Security Account" is very useful. It allows you to set up a personal online account that enables you to view your earnings history, estimates of benefits, change your address or start or change direct deposits of your check into a bank account. The SSA also supports 2-factor authentication, which is good.
However, it's a heaven for scammers. Yes, to open an account the SSA requires verification of personal data by asking questions that only the Social Security recipient should know but this info is easily available to an identity thief, who can open an account in the name of the intended victim.
The introduction of 2-factor authentication does not prevent an identity thief from initially setting up a My Social Security Account in the name of their victim, and we all know that you can social engineer the user to send the 2FA code to the hacker.
What To Do About This
I suggest you send your employees, friends and family the following. Feel free to copy/paste/edit:
There are two Social Security scams you need to watch out for at the moment.
The first one is where you receive an official-looking email from the Social Security Administration with an invite to create an account so you can receive your benefits. You land on a webpage where the scammers hope you will fill out all your confidential information. Don't fall for it. Never click on links in any of these emails. If you want to sign up for a My Social Security Account go directly to https://ssa.gov/myaccount/
The second scam is where the bad guys actually create an account for someone, and redirect the payments to a bank account controlled by them, not the victim. To prevent this from happening, create your own MySSA account with a strong username and password. This is similar to filing your tax return early before the bad guys file a bogus return and steal your refund.
Another security measure I recommend is that when after you create your MySSA account, go into a physical location and request that any changes to the bank account into which your check is electronically deposited only be done physically at a Social Security branch office and not using your online account.
Think before you click!
KnowBe4 customers will get their "New Template Notification" when we have this ready for you to send to your users and inoculate them against this attack.
If you are not a KnowBe4 customer yet, you simply cannot sit back and hope your filters are going to catch it all, they never do. You have to create an additional layer, call it your "human firewall". Thousands of organizations are doing this with great results. You have to do this anyway to be PCI compliant so why not do it right the first time.
Stepping your users through new-school security awareness training is a must, moreover it's simply fun to phish your users and train them not to fall for social engineering attacks! Find out how affordable this is for your organization and be pleasantly surprised.
PS: don't like to click on redirected buttons? Cut/Paste this link in your browser: