Main content

New Spear Phishing Attack Using Employee SSN As Bait

March 9, 2018 - New Spear Phishing Attack Using Employee SSN As Bait


Our Breach Insurance provider’s services team reports that they are currently working with many policyholders who have reported within the last 48 hours that their employees have received and clicked on a new, particularly effective spear phishing email. While the first incidents were reported by credit unions, we have now seen incidents occur across industries, including higher education and utilities.

Spear phishing is a form of email lure targeting a specific recipient - and appears to come from a trusted sender. This new attack is made to look like it comes from FedEx. The phishing emails included the targeted employee’s name and Social Security number.  Noteworthy here is that these phishing emails “up the game” by actually including employee personal information in the email, which may be the reason the recipients were tricked into clicking on the email’s links.


Not expecting a FedEx package? If it looks funny, and it smells funny, trust your gut - it probably isn’t very funny.  

The links in the email take the email recipient to a Google Docs page, which retrieves a unicode-encoded Visual Basic (VB) script from Google and uses that as a dropper to download and install malware. Essentially, this means that in these cases there is a reasonable probability of a malware infection that could potentially impact personally identifiable information (PII).


Protect yourself - be extra careful where you click. 


But How Did They Get My SSN? 


Never mind retailer security breaches like T***** or H*** D**** - there was a far more significant breach last year at the credit reporting agency E*******, and personal private and sensitive information for 145 million Americans was compromised (nearly the entire adult population - everyone with a credit rating.) So your information is - in all likelihood - out there, and for sale.


Complete the Security Awareness Training 

SUNY and New York State mandate that all employees undergo annual Security Awareness training.  Purchase College is using the SANS “Securing the Human” online training program.   

The security and privacy of our online information is under greater threat than ever before. It is our individual and collective responsibility to safeguard our faculty, staff, and students’ personal, private and sensitive information that is contained in Purchase College computer systems.  

                                  Securing the Human training:

Tax Time is Fraud Time

The IRS reports increases in the number of fraudulent tax returns every year. Many folks only discover that they have been scammed when they go to file their tax return and it is rejected because it has already been filed - by a scammer. File your return early - don’t give the scammers a chance to get there before you do.