Vishing Campaign Targets Social Security Administration

Written by

Security experts have warned of a new hybrid phishing campaign impersonating the Social Security Administration (SSA), which tries to trick recipients into calling a criminal call center.

Armorblox claimed that it blocked the scam emails for at least 160,000 customers.

The malicious messages are timed to coincide with tax season. The email subject line, “Due to erroneous and suspicious activities,” is designed to create enough anxiety and urgency for the recipient to open the message.

Other social engineering techniques include using the recipient’s legitimate email address at the start of the message in order to personalize it, and adding a customized sender name: “Social Security Administration-2521.”

Read more on vishing attacks: Vishing Makes Phishing Campaigns Three-Times More Successful.

The email itself informs the user their Social Security Number account has been suspended due to suspicious activity. Those who open the attached PDF are presented with a letter confirming the same information, spoofed to appear as if written on SSA letterhead.

“With a Social Security Administration logo within the upper-left corner as well as used at the watermark, the letter of suspension provides little to no explanation of the reason behind the decision to terminate the SSN account,” Armorblox explained.

“The bluntness of the letter includes a ‘wish you the best in your future endeavors’ sign-off and a telephone number for any questions recipients wished to be addressed.”

The letter includes a case number, signature of the acting commissioner, email reference ID, customer service contact number and the physical address of the SSA to add further legitimacy to the scam.

“The main action the bad actor aimed to facilitate through this email attack was for recipients to call the customer service number included, in two separate mentions for safe measure – taking this attack away from email to phone, a true vishing attack,” the security vendor said.

Although Armorblox didn’t call the number in question, it’s likely that malicious call center operatives would be waiting to harvest more personal and financial information from victims, to use in identity fraud and other scams.

A PhishLabs report from August 2022 revealed that hybrid vishing attacks of this sort grew by over 600% from Q1 to Q2 2022.

What’s hot on Infosecurity Magazine?