This new phishing scam can steal your Social Security number — how to stay safe

Hacker using a stolen social security card
(Image credit: Blazej Lyjak/Shutterstock)

When it comes to your personal information, your Social Security number is the most coveted by cybercriminals due to how it can be used to commit identity theft. However, Social Security numbers are often used as a universal identifier despite the security risks of doing so.

According to a new blog post from the email security company INKY, a new phishing campaign is currently making the rounds online that uses the Social Security numbers of potential victims as a lure.

The firm first detected an influx of new phishing emails back in September of this year which claim to come from the Social Security Administration (SSA). Upon further inspection, though, the true origin of these emails is actually a random Gmail address.

Nonetheless, many people may fall for this phishing scam when these fake emails arrive in their inboxes as they are actually quite convincing at first glance.

Watch out for these subject lines

An email inbox displayed on the screen of a laptop, next to a cup of coffee.

(Image credit: one photo/Shutterstock)

In order to trick people into opening their phishing emails, scammers often try to instill a sense of urgency in potential victims. In this campaign in particular, they use the threat of having one’s Social Security number suspended to trick victims into responding.

You'll see subject lines like “SSN going to be suspended,” “SSN found under suspicious activities,” and “SSN Alert! Termination Warning."

Alongside subject lines like “SSN going to be suspended,” “SSN found under suspicious activities,” and “SSN Alert! Termination Warning”, the cybercriminals behind this campaign also include either case ID numbers or Docket numbers to make their phishing emails appear more legitimate.

While the email’s themselves don’t contain malware or anything else dangerous, they do arrive with a PDF attachment in the form of a letter from the SSA. The SSA’s widely used logos are present alongside a short tagline which reads: “Securing today and tomorrow”.

Including the case or docket numbers makes a lot of sense here as they make these messages appear more legitimate with no way for potential victims to verify whether or not these numbers are accurate. 

From regular phishing to voice phishing

Senior cell phone plans

(Image credit: 10'000 Hours)

Cybercriminals, hackers and scammers normally try to include malicious files or malware in their email attachments. However, these payloads are often detected by email security software and the messages are unable to reach their intended targets.

In this campaign though, the fake letter claiming to come from the SSA includes a phone number that recipients can call in case they have any questions. Here, the cybercriminals switch from phishing to vishing (voice phishing). Vishing has become an increasingly popular attack method as victims initiate contact with the scammers themselves as opposed to the other way around.

In an email to Tom’s Guide, cybersecurity analyst Bukar Alibe at INKY explained that once a victim calls the scammers, they are asked to verify their Social Security number, name and date of birth. The scammers also harvest the bank account information of victims or demand payment in gift cards or cryptocurrency to resolve any problems with their Social Security number.

This is particularly concerning as all of this information is exactly what someone would need to commit fraud in your name or even to steal your identity.

How to stay safe from phishing

In order to stay safe from phishing, you should always carefully examine all of the emails that arrive in your inbox. Misspelled words and poor grammar are a major red flag and the emails examined by INKY contain several instances of both.

US government agencies never ask you to provide sensitive information over the phone, so this can serve as a dead giveaway.

Besides these spelling and grammatical errors, it’s important to keep in mind that Social Security numbers do not actually get suspended according to a blog post from the FTC. At the same time, like the IRS, the Social Security Administration prefers to use physical mail to get in touch. The organization will only contact people by email or phone if they have ongoing business with them. 

When dealing with a scammer, you should never give out any information over the phone. Whether they’re asking for personal or financial information, it could be used against you. US government agencies never ask you to provide sensitive information over the phone, so this can serve as a dead giveaway that you're dealing with scammers and not actual government employees.

If you do happen to respond to a phishing email or message, having one of the best antivirus software solutions installed on your devices can protect you from becoming infected with malware. In a situation like this though, the best identity theft protection services can help you recover your identity along with any lost or stolen funds.

Until we change how often we use our Social Security numbers in everyday life, phishing attacks similar to this one will likely continue to occur. This is why you need to remain vigilant online and inspect all of the emails you receive with a close eye.

Anthony Spadafora
Senior Editor Security and Networking

Anthony Spadafora is the security and networking editor at Tom’s Guide where he covers everything from data breaches and ransomware gangs to password managers and the best way to cover your whole home or business with Wi-Fi. Before joining the team, he wrote for ITProPortal while living in Korea and later for TechRadar Pro after moving back to the US. Based in Houston, Texas, when he’s not writing Anthony can be found tinkering with PCs and game consoles, managing cables and upgrading his smart home.