'Phishing' Scheme Targets Thrift Savings Plan Holders

By Stephen Barr
Monday, March 20, 2006

Last week's scare at the Thrift Savings Plan is an opportunity to offer this reminder: Do not click on Web links in unsolicited e-mails.

Someone, or some group, operating from somewhere, took advantage of the TSP's trusted name in a scam to rip off credit card and bank accounts. The scheme was built around a fictional TSP e-mail and a bogus TSP Web site.

After calls started pouring in from plan participants about the suspicious e-mail, the TSP staff played it safe and shut down part of the agency's Internet operation, stopping account transactions. They also called in the FBI.

"It was the first time we have had a phishing situation where they are sending people to something that looks like our Web site," a TSP official said.

The TSP, a 401(k)-type retirement savings program, has more than 3.5 million participants and assets of more than $178 billion. The plan uses the Internet to provide account information to participants and to process withdrawals, interfund transfers and other transactions.

TSP officials have no tally of how many people got the phony e-mail or how many responded and turned over personal financial information. Although it appears that many of the e-mails went to government employees and retirees, TSP officials said they have been contacted by persons who are not TSP enrollees. Some people did fall for the scheme, the officials said.

The officials pointed out that TSP does not maintain e-mail addresses for participants and never asks participants to provide credit card or banking information, such as pass codes for automated teller machines.

The phony e-mail informed recipients that a new e-mail address had been added for their TSP accounts and directed them to click on a link to www.tsp.gov "if you did not authorize this change."

The link, however, did not take the recipient to tsp.gov but to a mock site, where people were directed to type in their Social Security number and TSP personal identification number, or PIN.

Once completed, the e-mail recipient was sent an "unblock form" that should have sent up red flags to readers because of poor grammar and misspellings.

"If you see this message means that your account is bloked and u got a notification email, enter the information below and click on the Unblock my Account button," the Web page began. It directed readers to type in a credit card number and their "Atm PIN Number."

The TSP is not the only federal agency exploited for online identity-theft schemes known as "phishing." E-mails claiming to be from the Internal Revenue Service have been on the increase, even though the IRS does not communicate with taxpayers electronically.

CONTINUED     1        >

© 2006 The Washington Post Company