It was never a matter of if, but when.
As soon as the news broke about two major hacking incidents at the Office of Personnel Management, I knew what would come next. And I knew it wouldn’t be immediate cases of identity theft.
It could be months, if not years, before identity thieves victimize employees whose information was compromised. They know people are more vigilant at the beginning. So they wait until everyone calms down.
But there is another group of scammers who strike quickly when a data breach is disclosed. Ironically, with nary a piece of information from a hacking incident, these criminals can ride the coattails of the caper by pretending to help potential victims.
And sure enough, the Federal Trade Commission recently issued a scam alert warning government employees, contractors and others affected by the OPM hacks to look out for imposters pretending to be from the FTC and offering compensation to data-breach victims.
In April, the OPM learned that personal information — birth dates, home addresses and Social Security numbers — for 4.2 million current and former federal government employees had been stolen. Then in June came a massive breach involving 21.5 million individuals. In that case, the stolen information included background-investigation records of current, former and prospective federal employees and contractors. Even the spouses and cohabitants of applicants have been put at risk.
With that many people now concerned about their personal information, scammers are likely to find quite a few who can be tricked into parting with their money or the very data that was stolen.
According to Lisa Weintraub Schifferle, an attorney for the FTC’s Division of Consumer and Business Education, here’s how one scam works: A man, who identifies himself as Dave Johnson, calls and says that he’s from the FTC and that the government is offering compensation to people affected by the OPM breach. He says he’s from the agency’s Las Vegas office. But to get the money, you have to provide some personal information. (By the way, the FTC does not have a branch in Las Vegas.)
“Stop,” Schifferle writes in a blog post. “Don’t tell him anything. He’s not from the FTC.”
I can see how people might fall for this scam. The OPM has announced that it’s offering people identity-theft protection, and a clever con artist could convince folks that they’re getting money to pay for this service.
I’m sure many of you know the following advice, but it’s worth going over again:
● ● Say nothing. You’ve got to develop a blanket policy of not giving out any of your personal information if you have not initiated a call or e-mail. Even an innocent revelation, like the name of your pet, is a great gain for identity thieves.
I’ve been watching USA Network’s “Mr. Robot,” a show about an antisocial guy named Elliot who works by day as a cybersecurity engineer fighting corporate hack attacks. But in his off-time, Elliot is an extremely skilled hacker, although he does it for the greater good, exposing criminals or liars. Anyway, he breaks into people’s accounts or buildings by just talking to them. It’s human hacking or what’s called “social engineering.”
“Nothing is actually impenetrable,” the protagonist says in a recent episode. “People always make the best exploits. I never find it hard to hack most people. If you listen to them, watch them, their vulnerabilities are like a neon sign screwed into their foreheads.”
With just a few questions, he’s able to get what he needs with incredible ease. The questions come so quick and smooth that people don’t even realize what’s happening.
● Do nothing. If a caller ever asks you to wire money or load money onto a prepaid debit card, don’t. The more the person tries to rush or push you, the greater probability it’s a scam. And really, when does the government call to give you money?
● Don’t believe what you see. It’s easy to alter what appears on someone’s caller ID, so don’t trust a number you see that may appear to be from the FTC or any government agency.
If you get a call or e-mail relating to the OPM breaches, let the FTC know by going to ftccomplaintassistant.gov. Send any suspicious e-mails to the Department of Homeland Security’s Computer Emergency Readiness Team at email@example.com.
No doubt any OPM-related scams will change and evolve. So be on the lookout for calls or e-mails purportedly from the government promising money — or ones that may even try to get you to disclose the same type of information that was pinched in the hacks. Trust no one.
Readers may write to Michelle Singletary at The Washington Post, 1150 15th St. NW, Washington, D.C. 20071 or firstname.lastname@example.org. To read previous Color of Money columns, go to wapo.st/michelle-singletary.