Someone recently went on a phishing expedition to see if federal employees would bite on a phony Thrift Savings Plan Web site, and the TSP—suspecting another federal agency—wants to know who dropped the bait and tell them to stay out of its pond.
The TSP, a 401(k)-style program available to federal employees and military personnel, on Monday said it is investigating an e-mail that made the rounds of federal employees last week directing them to a site with a variant spelling of the TSP’s official site, www.tsp.gov.
The TSP suspects that the e-mail started with an agency testing its workers’ security awareness because similar incidents have happened at least twice before, most recently in 2009, spokeswoman Kim Weaver said. The message spread among a number of agencies, triggering inquiries to the TSP about the phony site.
The site, apparently created by the original sender, since has been taken down and there is no indication that anyone’s investment account was compromised, Weaver said.
The TSP on Monday posted a notice on its site warning account holders that sites other than its own “may steal your login credentials when you enter them.” Last year it issued a similar warning about third-party mobile device applications.
However, the TSP is not completely certain that another agency started the e-mail. “What we’re trying to do is backtrack to where it started,” Weaver said. If another agency is identified as the source, “we will send a really stern letter” and work within the government’s financial and security communities to dissuade other agencies from doing the same.
“Our brand and people’s trust is paramount,” she said. “We can’t afford to have people misuse our brand in that way. Security awareness training is great stuff but leave us out of it.”