It was never a matter of if, but when.
As soon as the news broke about two major hacking incidents at the Office of Personnel Management, I knew what would come next. And I knew it wouldn’t be immediate cases of identity theft.
It could be months, if not years, before identity thieves victimize employees whose information was compromised. They know people are more vigilant at the beginning. So they wait until everyone calms down.
But there is another group of scammers who strike quickly when a data breach is disclosed. Ironically, with nary a piece of information from a hacking incident, these criminals can ride the coattails of the caper by pretending to help potential victims.
And sure enough, the Federal Trade Commission recently issued a scam alert warning government employees, contractors and others affected by the OPM hacks to look out for imposters pretending to be from the FTC and offering compensation to data-breach victims.
In April, the OPM learned that personnel information — birth dates, home addresses and Social Security numbers — for 4.2 million current and former federal government employees had been stolen. Then in June came a massive breach involving 21.5 million individuals. In that case, the stolen information included background-investigation records of current, former and prospective federal employees and contractors. Even the spouses and cohabitants of applicants have been put at risk.
With that many people now concerned about their personal information, scammers are likely to find quite a few who can be tricked into parting with their money or the very data that was stolen.
According to Lisa Weintraub Schifferle, an attorney for the FTC’s Division of Consumer and Business Education, here’s how one scam works: A man, who identifies himself as Dave Johnson, calls and says he’s from the FTC and that the government is offering compensation to people affected by the OPM breach. He says he’s from the agency’s Las Vegas office. But to get the money, you have to provide some personal information. (By the way, the FTC does not have a branch in Las Vegas.)
“Stop,” Schifferle writes in a blog post. “Don’t tell him anything. He’s not from the FTC.”
I can see how people might fall for this scam. The OPM has announced that it’s offering people identity-theft protection, and a clever con artist could persuade folks that they’re getting money to pay for this service.
I’m sure many of you know the following advice, but it’s worth going over again:
Say nothing. You’ve got to develop a blanket policy of not giving out any of your personal information if you have not initiated a call or email. Even an innocent revelation, like the name of your pet, is a great gain for identity thieves.
Do nothing. If a caller ever asks you to wire money or load money onto a prepaid debit card, don’t. The more the person tries to rush or push you, the greater probability it’s a scam. And really, when does the government call to give you money?
Don’t believe what you see. It’s easy to alter what appears on someone’s caller ID, so don’t trust a number you see that may appear to be from the FTC or any government agency.
If you get a call or email relating to the OPM breaches, let the FTC know by going to ftccomplaintassistant.gov. Send any suspicious emails to the Department of Homeland Security’s Computer Emergency Readiness Team at phishing-report@us-cert.gov.
No doubt any OPM-related scams will change and evolve. So be on the lookout for calls or emails purportedly from the government promising money — or ones that may even try to get you to disclose the same type of information that was pinched in the hacks. Trust no one.