What do you worry about the most? If you’re like most Americans surveyed on the subject, at the top of your list are money, the future, and political instability.1 On their own, each of these topics has the power to create a pretty hefty amount of anxiety. Combine them, however, and you have the perfect recipe for phishing mayhem.
The Sum of All Fears
We all have reason to worry. The annual rate of inflation is the highest it’s been in 41 years.2 The Federal Reserve has raised interest rates five times thus far in 2022 – to the highest they have been since 2008.3 And, an uneasy feeling about Social Security has been brewing for years, with funds expected to be depleted by 2034.4
Social Security Numbers (SSNs) were created in 1936 in order to track an individual’s history of earnings and eventually determine the appropriate amount of Social Security benefits they should receive. Today, SSNs have become a universal identifier and are linked to much more than just earnings history.
During the last half of September, INKY detected an influx of phishing emails that were allegedly from the U.S. Social Security Administration (SSA). While the display address on the emails reads “Social_Security_Administration,” further inspection reveals the sender’s true origin to be a random Gmail address.
If there is one place a hacker puts his best foot forward, it’s with the subject line. After all, phishing emails don't do much good unless they are opened, and some type of action is taken. In this case. the subject lines include case and docket numbers to make the phishing threat seem more official. Here are a few examples, with the recipient’s contact information redacted:
- Hi <redacted_email address> SSN going to be suspended (Case ID- SSA-75214260).
- Hi <redacted_email address> SSN found under suspicious activities, Docket No. 79851704.
- Fraudulent activity detect in your SSN Account.. Case id:15383815
- Suspicious activity detect in your SSN account. Docket id:13161614
- Your SSN id will be discontinued from service due to suspicious activity. Case id:18191915
- Your SSN id shortlisted for intimation. Case id:20101028
- Attention Dear <redacted_email address> Your SSN Going to Terminate soon Docket No. 67555263.
- Attention Dear <redacted_email address>: Termination of your SSN Docket No. 39525276.
- Your SSN will be discarded soon. Case id:19474728
- Dear <redacted_email address>: SSN_Intimation_Mail Docket No. 64796813.
- Hi <redacted_email address>. SSN Alert! Termination Warning, Docket No. 22105363.
It’s also good to note the element of urgency in some of these subject lines. Urgency is a phisher’s best friend. It causes people to panic and make ill-considered decisions.
All of the SSA brand impersonation phishing emails INKY caught contained a PDF attachment that opened in the form of a letter with SSA-branded elements. As you can see in this example, the letter starts with one of SSA’s widely used logos alongside a short tagline. It’s an image that looks sharp and is readily available online. In the body of the letter, the sender claims that illegal & fraudulent activities have been associated with the recipient’s SSN and, as a result, their SSN will be suspended in 24 hours. A phone number is given to resolve this issue.
So, what’s wrong with this phishing attempt? A lot.
Encouraging readers to call a phone number adds vishing to the mix. Vishing is a type of cybercrime that uses the telephone to steal confidential information. In this instance, the phone number provided in the letter does not belong to the SSA. When called, phishers answering ask their victims to confirm their SSN so it can be unsuspended. In some instances, they will even claim that a new one has been issued for a fee.
A Word from the Grammar Police
As always, missteps in writing can be a strong phishing email indicator. A few things pop out in this particular example.
The beginning of the first sentence is missing a word. “This is to notify <you> that we…”
The use of an ampersand to replace the word “and” is not typically done in formal writing unless it is part of an official name or is part of a long list that would otherwise be unclear.
The third sentence has several issues.
- It is needlessly centered in the middle of the page.
- It uses the word “queries” instead of “questions,” which is not as common in the U.S.
- “In case of any queries/help” is also awkward as you would never say “In case of any help.”
- It includes a phone number that does not belong to the Social Security Administration.
The closing is also awkward.
- It is signed by the “Social Security Administrator” which is not a title that exists.
- There is no need to remind the reader that Social Security is part of the “United States of America”. Even if you felt the need to look more official, you wouldn’t use a period in the end.
Dishing on Phishing and Vishing
In the past five years, the number of phishing and vishing crimes has risen more than 1000% — yes one thousand percent. In 2021 alone it accounted for more than $44 million in losses.5
The SSA phishing and vishing attempts INKY caught were designed to fly under the radar. Because these attacks emanate from Gmail, which has a high sender reputation, they were able to pass email authentication (SPF, DKIM, DMARC). There were also no malicious attachments or links for email security vendors to scrutinize. Instead, the phishers socially engineered a fake letter in a PDF attachment and instructed recipients to contact them via a phone number.
A Final Word
Let’s summarize some of the tactics used by these SSA phishers.
Recap of Techniques
- Brand impersonation — uses elements of a well-known organization to make an email look as if it came from a legitimate source.
- Data or credential harvesting — collecting personal data under false pretenses.
- Time pressure — adds a sense of urgency to the potential loss, again steering the target away from doing a common-sense analysis of the situation
- Vishing — impersonates a brand to steal information via a phone call
Best Practices: Guidance and Recommendations
- Carefully inspect the sender’s email address, especially if you receive an email claiming to be from the U.S. government. Official U.S. government domains usually end in .gov or .mil rather than .com or another suffix.
- Look for grammatical and spelling errors. Organizations as large as the SSA tend to have professional writers and a detailed editorial review process.
- The SSA uses physical letters to communicate problems. They only contact people if they have ongoing business with them.
- The SSA will never threaten to suspend an SSN or demand payment via cash, gift card, prepaid debit card, cryptocurrency, or wire transfer.
- The SSA will never ask for personal or banking information in an email, on a phone call, or through an online service.
- Get INKY.
Preying upon our greatest worries can be a successful tactic when it comes to cybercrime. Thankfully, one of the best remedies for worry is preparation. That certainly is the case when it comes to phishing disasters, which is why so many companies are preparing to fight phishing with INKY.
INKY is the behavioral email security platform that blocks threats, prevents data leaks, and coaches users to make smart decisions regarding the safety of their email. Like a cybersecurity coach, it signals suspicious behaviors with interactive banners that guide users to take safe action on any device or email client. IT teams don’t face the burden of filtering every email themselves or maintaining multiple systems. Through powerful technology and intuitive user engagement, INKY keeps bad actors out for good. Start a free trial or schedule a demo today.
1Sources: www.verywellmind.com/what-americans-of-all-ages-are-worrying-about-right-now-5202028 , www.pewresearch.org/fact-tank/2022/05/12/by-a-wide-margin-americans-view-inflation-as-the-top-problem-facing-the-country-today/