Guest post by Stu Sjouwerman, founder and CEO, KnowBe4.
Bad guys are abusing the Social Security Administration’s (SSA) online service called My SocialSecurity Account in two ways:
- A phishing scam that encourages employees to create an account, where your user enters all their confidential information at the scammer’s site, leaving them open to ID theft and social engineering attacks with that data and infect their workstation either in the office or the house.
- The scammers set up My Social Security Accounts on behalf of people, and change the account to direct the benefits checks to a bank account they control.
Basically, this “My Social Security Account” is very useful. It allows you to set up a personal online account that enables you to view your earnings history, estimates of benefits, change your address or start or change direct deposits of your check into a bank account. The SSA also supports two-factor authentication, which is good.
However, it’s a heaven for scammers. Yes, to open an account the SSA requires verification of personal data by asking questions that only the Social Security recipient should know but this info is easily available to an identity thief, who can open an account in the name of the intended victim.
The introduction of two-factor authentication does not prevent an identity thief from initially setting up a My Social Security Account in the name of their victim, and we all know that you can social engineer the user to send the 2FA code to the hacker.
What to Do About This
I suggest you send your employees, friends and family the following. Feel free to copy/paste/edit:
There are two Social Security scams you need to watch out for at the moment.
The first one is where you receive an official-looking email from the Social Security Administration with an invite to create an account so you can receive your benefits. You land on a webpage where the scammers hope you will fill out all your confidential information. Don’t fall for it. Never click on links in any of these emails. If you want to sign up for a My Social Security Account go directly to https://ssa.gov/myaccount/
The second scam is where the bad guys actually create an account for someone, and redirect the payments to a bank account controlled by them, not the victim. To prevent this from happening, create your own MySSA account with a strong username and password. This is similar to filing your tax return early before the bad guys file a bogus return and steal your refund.
Another security measure I recommend is that when you create your MySSA account, go to the settings and choose the option that any changes to the bank account into which your check is electronically deposited only be done physically at a Social Security branch office and not using your online account.
Think before you click!
Stepping your users through new-school security awareness training also is a must, moreover it’s simply fun to phish your users and train them not to fall for social engineering attacks! Find out how affordable this is for your organization and be pleasantly surprised.