Social Security vishbait.

Armorblox yesterday released a report detailing a vishing (or “voice phishing”) attack impersonating the US Social Security Administration.

How hackers are impersonating the Social Security Administration in attempted vishing attacks.

Researchers report that the attack begins with a phishing email. The email purports to be from a sender under the name of “Social Security Administration-2521.” The email utilizes a sense of urgency to get the victim’s attention, claiming that the user's Social Security number was suspended due to “erroneous and suspicious activities.” Included is an attached PDF file claiming to be a “letter of suspension“ that appears when opened to be on the letterhead of the SSA. Included at the bottom of the file is a phone number for “contact information” if the user requires help. The hacker’s end goal of the vishing attack is to get the victim to call the fraudulent number and reveal sensitive information.

Best practices to prevent your sensitive information from hackers.

Armorblox researchers advise additional email security implementations on top of existing email security tools. This attack utilized the technique of social engineering, or manipulating a victim by instilling a false sense of trust and urgency. The researchers advise being on the lookout for cues that may hint at social engineering, such as suspicious sender names, email addresses, and inconsistent language and logic within the body of the email. Staying on top of passwords, as well as multi-factor authentication implementation are advised as well.

(Added, 3:15 PM ET, March 17th, 2023. Erich Kron, security awareness advocate at KnowBe4, commented on the seasonal pressures that lend urgency to this kind of social engineering:

“This tactic is not new, however timing it with the filing of taxes adds an additional level of stress to recipients of these attacks. This is the time of year when many people are on edge about dealing with the government. Issues related to their Social Security number, the prime identifier when filing taxes, can add additional stress. This attack, like so many other similar attacks, heavily relies on emotions to get people to miss the otherwise obvious clues that this is a scam. Whether it's fear, a strong sense of urgency, or even strong feelings of excitement, when people are in a heightened emotional state, we tend to not think critically.

"To protect ourselves, anytime we receive a text message, an email, or even a phone call that elicits a strong emotional response, it is important that we take a deep breath and look at the facts critically. In the case of government communications, the government will almost never make an initial contact with an individual through email. It will always be through traditional US mail, and if it's especially urgent, it's likely to be registered mail. In addition, they will not call a person without previous written correspondence and will never demand money or sensitive information through an initial phone call. Most government organizations, especially the IRS and Social Security Administration, have their contact policies published on their website, allowing people to confirm when and how they contact people about various topics.”)