By Stephen Barr
Monday, March 20, 2006
Last week's scare at the Thrift Savings Plan is an opportunity to offer this reminder: Do not click on Web links in unsolicited e-mails.
Someone, or some group, operating from somewhere, took advantage of the TSP's trusted name in a scam to rip off credit card and bank accounts. The scheme was built around a fictional TSP e-mail and a bogus TSP Web site.
After calls started pouring in from plan participants about the suspicious e-mail, the TSP staff played it safe and shut down part of the agency's Internet operation, stopping account transactions. They also called in the FBI.
"It was the first time we have had a phishing situation where they are sending people to something that looks like our Web site," a TSP official said.
The TSP, a 401(k)-type retirement savings program, has more than 3.5 million participants and assets of more than $178 billion. The plan uses the Internet to provide account information to participants and to process withdrawals, interfund transfers and other transactions.
TSP officials have no tally of how many people got the phony e-mail or how many responded and turned over personal financial information. Although it appears that many of the e-mails went to government employees and retirees, TSP officials said they have been contacted by persons who are not TSP enrollees. Some people did fall for the scheme, the officials said.
The officials pointed out that TSP does not maintain e-mail addresses for participants and never asks participants to provide credit card or banking information, such as pass codes for automated teller machines.
The phony e-mail informed recipients that a new e-mail address had been added for their TSP accounts and directed them to click on a link to www.tsp.gov "if you did not authorize this change."
The link, however, did not take the recipient to tsp.gov but to a mock site, where people were directed to type in their Social Security number and TSP personal identification number, or PIN.
Once completed, the e-mail recipient was sent an "unblock form" that should have sent up red flags to readers because of poor grammar and misspellings.
"If you see this message means that your account is bloked and u got a notification email, enter the information below and click on the Unblock my Account button," the Web page began. It directed readers to type in a credit card number and their "Atm PIN Number."
The TSP is not the only federal agency exploited for online identity-theft schemes known as "phishing." E-mails claiming to be from the Internal Revenue Service have been on the increase, even though the IRS does not communicate with taxpayers electronically.
The TSP learned about 2 p.m. Thursday that it was being impersonated and stopped transactions on its Web site at about 6 p.m. On Thursday night, TSP posted a notice warning participants about the scam.
After the scammers turned off their bogus Web site on Friday, officials restored full service on the TSP site.
TSP officials suspect that the scammers were after credit card information and doubt they could meet criteria for taking money out of a TSP account. But they said reviews are underway to detect any suspicious activity in TSP accounts.
The scam, however, has disrupted processing of loans and withdrawals, which may be delayed for two days, in part because of the TSP internal review.
If you received one of the phony e-mails, TSP urges you to read a special notice posted on tsp.gov under the heading "E-Mail Scam" and use a toll-free phone number to contact a customer service representative.On the Move
Mark A. Robbins , who worked on E Street NW as general counsel at the Office of Personnel Management, is now working on F Street, as the executive director of the president's Privacy and Civil Liberties Oversight Board.
The board was created by Congress to ensure that privacy and civil liberties issues are given appropriate consideration in the development of counterterrorism policy. Carol E. Dinkins serves as chairman and Alan Charles Raul as vice chairman.
Stephen Barr's e-mail address firstname.lastname@example.org.