Guest post by Stu Sjouwerman, founder and CEO, KnowBe4.
Bad guys are abusing the Social Security Administration’s (SSA) online service called My SocialSecurity Account in two ways:
- A phishing scam that encourages employees to create an account, where your user enters all their confidential information at the scammer’s site, leaving them open to ID theft and social engineering attacks with that data and infect their workstation either in the office or the house.
- The scammers set up My Social Security Accounts on behalf of people, and change the account to direct the benefits checks to a bank account they control.
Basically, this “My Social Security Account” is very useful. It allows you to set up a personal online account that enables you to view your earnings history, estimates of benefits, change your address or start or change direct deposits of your check into a bank account. The SSA also supports two-factor authentication, which is good.
However, it’s a heaven for scammers. Yes, to open an account the SSA requires verification of personal data by asking questions that only the Social Security recipient should know but this info is easily available to an identity thief, who can open an account in the name of the intended victim.
The introduction of two-factor authentication does not prevent an identity thief from initially setting up a My Social Security Account in the name of their victim, and we all know that you can social engineer the user to send the 2FA code to the hacker.
What to Do About This
I suggest you send your employees, friends and family the following. Feel free to copy/paste/edit: