Introduction

Cybercrime has become a very common occurrence in the past few decades. Phishing, malware and hacking have shown that we are all vulnerable to security breaches. It’s not just the private citizen that needs to worry, though — corporations and governments have also found themselves victims of cybercrime, either as targets or as a proxy for an attack.

Because of this, some government departments have very specific communication methods that they use when dealing with citizens and other departments. We will look at some of the most commonly accessed areas in government, and what their communication policies are.

A useful resource has been developed by USAGov and can be found here. It outlines the different scams and fraud methods that you might encounter both online and out in the real world when dealing with the many different government departments of the United States.

Below you will find a selection of excerpts from the various government departments that issue warnings against fraud, as well as scam information. If you’re curious about the different government departments, how they operate or even how many there are, then you can find a full list of federal agencies right here.

USAGov — Official Online Web Portal to the Federal Government

As the USAGov website is the gateway into the rest of the federal government’s service-based websites, it is often abused by scammers and fraudsters. The below extract is from their contact page and illustrates how spoofing attacks have been carried out by telephone.

“Please note: If you received a call from this phone number and you’ve never previously contacted us, that call was not from USA.gov. We’ve received reports that scammers sometimes use our phone number on caller ID. This is called spoofing, and it’s illegal. Please don’t answer these calls. USA.gov’s information specialists cannot take complaints about spoofed calls. But you can report them directly to the Federal Communications Commission (FCC).”

This shows that security measures that are put in place to help protect from identity fraud can also be used to perpetrate it. A scammer simply spoofs an official telephone number when calling a victim and can then impersonate a government employee from that point on. Traditional technologies like telephones are not immune to abuse and can be used effectively by criminals to get information.

IRS — Internal Revenue Services

As the IRS is used by all tax-paying Americans, it is only logical that it gets abused by cybercriminals. Groups use a variety of different methods to extract information that helps them to gain illegal access to taxpayer accounts such as banking and tax login profiles. The IRS outlines how such activity can be reported to them here. Below is an excerpt from their website, detailing which communication methods they do not use when dealing with members of the public:

The IRS doesn’t initiate contact with taxpayers by email, text messages or social media channels to request personal or financial information. This includes requests for PIN numbers, passwords or similar access information for credit cards, banks or other financial accounts.”

The total number of taxpayers for 2018 was thought to be over 140 million, according to an article by Fortune. This is a phenomenal number of targets. Even if scams manage to target a fraction of a percent then we are looking at millions of dollars in potential fraud, making taxpayers a lucrative target.

Department of Consular Affairs

Identity and travel documents are another area of government that are targeted quite often by cybercriminals, and for obvious reasons. Impersonating unsuspecting individuals enables criminals to travel under false names, claim social grants, and to commit fraud in general.

The Department of Consular Affairs has a page set up to highlight the danger of fraud and to draw attention to a form of fraud targeting people who have applied for Diversity Visas (DV). The below excerpt details by which communication methods an applicant might expect to receive communications from the department.

“While DV applicants may receive an email from the U.S. government reminding them to check their status online through DV Entrant Status Check, they will not receive a notification letter or email informing them that they are a successful DV entrant. Applicants can only find out if they were selected to continue with DV processing by checking their status online through the DV Entrant Status Check at http://www.dvlottery.state.gov.

SSA — Social Security Agency

Social Security plays a vital role in providing support for citizens with a stable income upon reaching retirement. With the vast amount of money that could potentially be accessed by criminals, it’s no wonder that this source of money gets targeted. Below is an excerpt from the SSA’s website:

“Please beware of individuals impersonating Social Security employees over the phone. Reports about fraudulent phone calls from people claiming to be from SSA continue to increase, and recent reports have indicated unknown callers are using increasingly threatening language in these calls. If you suspect you have received a scam call, you should hang up, and then report details of the call to the Office of the Inspector General at ‎1-800-269-0271 or online at https://oig.ssa.gov/report

According to an article by U.S. News Money, the average citizen receives between $1,461 and $2,861 per month upon retirement, depending on the amount that they put away over the years:

“The average Social Security benefit was $1,461 per month in January 2019. The maximum possible Social Security benefit for someone who retires at full retirement age is $2,861 in 2019. However, a worker would need to earn the maximum taxable amount, currently $132,900 for 2019, over a 35-year career to get this Social Security payment.”

This is all the incentive that is needed for a cybercriminal to commit fraud on a person’s Social Security, which is why people need to be extra vigilant when responding to unsolicited communications from this government department.

DOL — Department of Labor

The Department of Labor aids eligible citizens through its Unemployment Insurance Fund. This is another department that is frequently targeted by criminals who seek to gain access to funds. Due to the large number of people that access this facility across the country, it is segmented and arranged by state. Each state has its own processes for combating fraud, and the main sources of information pertaining to each state can be found here.

The DOL website has an extensive contact page, unfortunately they make no specific mention of how they contact citizens. Their contact page can be found here.

If you enjoy deep diving into stats and data, then you can find a full list of fraud and improper payments that have been made by state for the years 2009 – 2018 right here. These are downloadable spreadsheets that you can look at and see the leading causes of improper payments. Unfortunately, there are no definitive stats that show how much cybercrime contributes to the overall figures, but the field labelled “All Other Causes” might be a good starting point.

DOT — Department of Transportation

The DOT’s Federal Motor Carrier Safety Administration (FMCSA) makes mention of how they do and do not communicate with the public. The information can be found here. The following goes into more detail about how the FMCSA does not contact the public:

FMCSA does not:

  • Contact Carriers by Telemarketers or “robo-call” automated telephone solicitations
  • Request credit card numbers by telephone
  • Charge a fee for downloadable forms found at http://www.fmcsa.dot.gov/mission/forms

The FMCSA goes into further detail regarding their contact process:

“Motor carrier service providers and third-party administrators or their employees can and do provide valuable services to motor carriers and new entrants in the motor carrier community. The use of a private entity or company to assist a motor carrier with compliance is an option for motor carrier officials and new entrant applicants. However, the U.S. Government does not endorse private businesses or vendors, and the use of a service provider is NOT required by FMCSA.

“Under federal law, impersonating “an officer or employee acting under the authority of the United States” in order to demand or obtain “any money, document, or thing of value” can result in a fine as well as imprisonment for up to three years (18 USC § 912).

“If you have been the victim of fraud and experienced a loss, please report the crime to Law Enforcement. You should report any compromised banking or credit card information to your financial institution or Credit Card Company immediately.

“If you would like to report a fraudulent request for information to DOT, please contact the Office of Inspector General (OIG) Hotline via https://www.oig.dot.gov/hotline or by calling (800) 424–9071.

“You can report aggressive or misleading marketers to the Federal Trade Commission at FTC.gov/complaint.”

The DOT has a sample of a fraudulent letter on their website, highlighting how criminals attempt to get information from unsuspecting contractors. In this instance, the perpetrator tried to elicit a covering letter from a contractor under the auspices of identity verification. The real reason for this request was most likely so that the person carrying out the attack could use the covering letter to create fraudulent requests and communications with the department. This could open up other avenues such as payment for contracts or any other type of fraud where monetary gain is the most likely motivation. The sample letter can be found here.

Security Awareness

Conclusion

While it is encouraging to note that some government departments have easy-to-find fraud and cybercrime pages with reporting features, it is still far from being universally implemented. Some departments make no mention of their preferred methods of communication. Very few departments outline potential methods by which scams and fraud are carried out against taxpayers.

Phishing is a growing threat, despite public awareness and education. The following report from APWG highlights the current state of phishing for 2019. The CISA (Cyber Infrastructure Security Agency) has partnered with APWG to research and generate reports on cybercrime. More information can be found here.

While interconnectivity is essential for modern government departments to operate effectively and efficiently, it is still far from being 100% secure and safe. Spoofing a government department’s phone number is as easy as setting up your own PBX system with a changeable caller ID. Phishing scams are also very easy to orchestrate, and the number of victims that are caught in each instance are still substantial enough for the method to be popular among cybercriminals.

Traditional methods of communication are slower and simpler, but that they are still quite secure in some respects. There are pros and cons to each approach, and it is up to the individual departments and legislators to decide which approaches are best.

The current state of communication policy seems to be unique to each department. This creates uncertainty in some respects, as not all departments follow the same security procedures when dealing with communications. The solution might be a unified communication policy that limits how a department may communicate with the average U.S. citizen. How this could be accomplished remains to be seen, however.

 

Sources

  1. Significant Cyber Incidents Since 2006, Center for Strategic & International Studies
  2. Digital Communications, HHS.gov
  3. Digital Style Guide, U.S. Department of Agriculture
  4. Social Media, Energy.gov
  5. Call Us, USAGov
  6. A-Z Index of U.S. Government Departments and Agencies, USAGov
  7. Report Phishing and Online Scams, IRS
  8. Top 3% of U.S. Taxpayers Paid Majority of Income Tax in 2016, Fortune
  9. Fraud Warning, travel.state.gov
  10. How Much You Will Get From Social Security, U.S. News
  11. Data, U.S. Department of Labor
  12. Contact Us, U.S. Department of Labor
  13. Report Phishing Sites, CISA