Attackers mimic Social Security and threaten victims with SSN termination


Threat actors told victims their social security numbers were to be terminated, hoping to prompt targets into calling a fraudulent customer support number.

Crooks targeted 160,000 end users of a national US educational institution, hoping to steal sensitive user data. Worryingly, the attack operators succeeded in bypassing native email security, researchers at cybersecurity firm Armorblox claim.

Threat actors likely devised the attack to coax victims into revealing their social security numbers (SSNs), a vital piece of information to any US citizen, and other sensitive data. Since it’s tax season in the US, attackers aim for personal data that could help them to commit tax return fraud.

“Attackers know that tax season is top of mind for many individuals and take advantage of this to try and trick end users into engaging with the malicious attack. We have seen other bad actors take advantage of the severity of COVID and the war in Ukraine,” researchers told Cybernews.

SSA fraud
Fraudulent letter, impersonating the SSA. Image by Armorblox, edited by Cybernews.

To lure victims in, attackers put “due to erroneous and suspicious activities” in the email subject. Urgency-inducing techniques aim to reduce a victim’s vigilance, prompting them to act quickly without thinking.

Additionally, cybercriminals customized the sender name to display it as Social Security Administration-2521, impersonating the Social Security Administration (SSA), the federal US organization responsible for the American welfare program, including issuing SSNs.

“Emails sent from the SSA usually require immediate attention and response, and when it comes to email, communications are considered on the more serious side of the scale,” Armorblox researchers claim.

The fraudulent emails consist of a panic-inducing message claiming a victim’s SSN has been suspended. Even though US authorities repeatedly said SSN suspension is impossible, a legitimate-looking message could scare some victims.

To move the attack further along, crooks instructed the victims to open a PDF file, which contained a supposed SSA letter telling victims they had violated “terms and conditions” by “using a false identity.”

The last part of the attack relied on worried victims using a fraudulent customer support number. If they were to contact the attackers in this way, cybercriminals would try to get as much sensitive information from them as possible.

Researchers told Cybernews that the attack was sophisticated enough to bypass native email security and difficult for users to detect. Even though the bogus email had a massive red flag in the form of a Gmail domain address instead of an SSA email, attackers did cleverly change the sender's name in such a way as to help conceal their ploy.

“The length of the sender’s name is intentional, as victims reading the email on a mobile device would not be able to see the actual domain. Additionally, the lack of personalization in the email attachment can be a subtle hint for victims to think twice before engaging,” researchers explained.