What do you worry about the most? If you’re like most Americans surveyed on the subject, at the top of your list are money, the future, and political instability.1 On their own, each of these topics has the power to create a pretty hefty amount of anxiety. Combine them, however, and you have the perfect recipe for phishing mayhem.
We all have reason to worry. The annual rate of inflation is the highest it’s been in 41 years.2 The Federal Reserve has raised interest rates five times thus far in 2022 – to the highest they have been since 2008.3 And, an uneasy feeling about Social Security has been brewing for years, with funds expected to be depleted by 2034.4
Social Security Numbers (SSNs) were created in 1936 in order to track an individual’s history of earnings and eventually determine the appropriate amount of Social Security benefits they should receive. Today, SSNs have become a universal identifier and are linked to much more than just earnings history.
During the last half of September, INKY detected an influx of phishing emails that were allegedly from the U.S. Social Security Administration (SSA). While the display address on the emails reads “Social_Security_Administration,” further inspection reveals the sender’s true origin to be a random Gmail address.
If there is one place a hacker puts his best foot forward, it’s with the subject line. After all, phishing emails don't do much good unless they are opened, and some type of action is taken. In this case. the subject lines include case and docket numbers to make the phishing threat seem more official. Here are a few examples, with the recipient’s contact information redacted:
It’s also good to note the element of urgency in some of these subject lines. Urgency is a phisher’s best friend. It causes people to panic and make ill-considered decisions.
All of the SSA brand impersonation phishing emails INKY caught contained a PDF attachment that opened in the form of a letter with SSA-branded elements. As you can see in this example, the letter starts with one of SSA’s widely used logos alongside a short tagline. It’s an image that looks sharp and is readily available online. In the body of the letter, the sender claims that illegal & fraudulent activities have been associated with the recipient’s SSN and, as a result, their SSN will be suspended in 24 hours. A phone number is given to resolve this issue.
So, what’s wrong with this phishing attempt? A lot.
Encouraging readers to call a phone number adds vishing to the mix. Vishing is a type of cybercrime that uses the telephone to steal confidential information. In this instance, the phone number provided in the letter does not belong to the SSA. When called, phishers answering ask their victims to confirm their SSN so it can be unsuspended. In some instances, they will even claim that a new one has been issued for a fee.
As always, missteps in writing can be a strong phishing email indicator. A few things pop out in this particular example.
The beginning of the first sentence is missing a word. “This is to notify <you> that we…”
The use of an ampersand to replace the word “and” is not typically done in formal writing unless it is part of an official name or is part of a long list that would otherwise be unclear.
The third sentence has several issues.
The closing is also awkward.
In the past five years, the number of phishing and vishing crimes has risen more than 1000% — yes one thousand percent. In 2021 alone it accounted for more than $44 million in losses.5
The SSA phishing and vishing attempts INKY caught were designed to fly under the radar. Because these attacks emanate from Gmail, which has a high sender reputation, they were able to pass email authentication (SPF, DKIM, DMARC). There were also no malicious attachments or links for email security vendors to scrutinize. Instead, the phishers socially engineered a fake letter in a PDF attachment and instructed recipients to contact them via a phone number.
Let’s summarize some of the tactics used by these SSA phishers.
Preying upon our greatest worries can be a successful tactic when it comes to cybercrime. Thankfully, one of the best remedies for worry is preparation. That certainly is the case when it comes to phishing disasters, which is why so many companies are preparing to fight phishing with INKY.
INKY is the behavioral email security platform that blocks threats, prevents data leaks, and coaches users to make smart decisions regarding the safety of their email. Like a cybersecurity coach, it signals suspicious behaviors with interactive banners that guide users to take safe action on any device or email client. IT teams don’t face the burden of filtering every email themselves or maintaining multiple systems. Through powerful technology and intuitive user engagement, INKY keeps bad actors out for good. Start a free trial or schedule a demo today.
1Sources: www.verywellmind.com/what-americans-of-all-ages-are-worrying-about-right-now-5202028 , www.pewresearch.org/fact-tank/2022/05/12/by-a-wide-margin-americans-view-inflation-as-the-top-problem-facing-the-country-today/
2Source: https://www.pewresearch.org/fact-tank/2022/06/15/in-the-u-s-and-around-the-world-inflation-is-high-and-getting-higher/
3Source: https://www.cnbc.com/2022/09/21/fed-raises-interest-rates-what-will-be-more-expensive.html
4Source: https://www.ssa.gov/oact/trsum/
5Source: https://www.ic3.gov/Media/PDF/AnnualReport/2021_IC3Report.pdf