New Phishing Campaign Aims for Social Security Numbers
The Targets Are Vulnerable U.S. Citizens and Migrant Workers.
In September 2022 it was detected a new phishing campaign aimed at people’s Social Security Numbers (SSNs).
Cybercriminals are impersonating Social Security Administration (SSA) to trick U.S. citizens, permanent residents, and temporary workers into revealing crucial information.
SSNs are a universal identifier and can be used to initiate a multitude of cybercrimes in the U.S.
How the Phishing Attack Works
INKY revealed in a report that this campaign was built as an assault in two steps.
First, the victim would receive a phishing email that was allegedly from the U.S. Social Security Administration (SSA).
The subject line of this email will instate a feeling of urgency, convincing the victim to open it, as shown below:
- Hi <redacted_email address> SSN going to be suspended (Case ID- SSA-75214260).
- Hi <redacted_email address> SSN found under suspicious activities, Docket No. 79851704.
- Fraudulent activity detect in your SSN Account.. Case id:15383815
- Suspicious activity detect in your SSN account. Docket id:13161614
- Your SSN id will be discontinued from service due to suspicious activity. Case id:18191915
- Your SSN id shortlisted for intimation. Case id:20101028
- Attention Dear <redacted_email address> Your SSN Going to Terminate soon Docket No. 67555263.
- Attention Dear <redacted_email address>: Termination of your SSN Docket No. 39525276.
- Your SSN will be discarded soon. Case id:19474728
- Dear <redacted_email address>: SSN_Intimation_Mail Docket No. 64796813.
- Hi <redacted_email address>. SSN Alert! Termination Warning, Docket No. 22105363.
Although the display address on the emails reads “Social Security Administration,” closer examination reveals that the sender is a random Gmail address.
Because these attacks emanate from Gmail, which has a high sender reputation, they were able to pass email authentication (SPF, DKIM, DMARC). There were also no malicious attachments or links for email security vendors to scrutinize. Instead, the phishers socially engineered a fake letter in a PDF attachment and instructed recipients to contact them via a phone number.
Going further with the social engineering tactics, the email has attached a PDF letter with SSA-branded elements saying that the recipient’s SSN has been linked to illegal and fraudulent activities, in consequence, his\her SSN will be suspended in 24 hours.
To avert this, the target is urged to call a fake SSA number included in the letter, which represents the second part of the attack, the vishing part.
Vishing is a type of cybercrime in which private information is stolen over the phone. In this campaign, hackers convinced the victims that called to disclose their SSN, assuring them that it won’t be suspended or pretending to issue a new one for them.
How to Stay Safe from Phishing Attacks
Like every cybercrime, phishing can be prevented by staying informed and alert when a bait arrives in your inbox.
Here are a few simple steps you can take for your safety:
- Check the URL of any link you receive before clicking it.
- Do background research on the organization sending the message: the SSA uses physical letters to communicate problems, and will never ask for personal or banking information via phone or online.
- Look for grammatical and spelling errors, they can indicate a fake message.