Phishing emails encouraging you to create a my Social Security account are circulating.
What is phishing?
Phishing is the practice of using social engineering techniques over email to trick a recipient into revealing personal information, clicking on a malicious link, or opening a malicious attachment.
How can I detect a phishing email pretending to be Social Security?
- Most emails from Social Security will come from a “.gov" email address. If an email address does not end in “.gov”, use caution before opening attachments or clicking on pictures or links in the email.
- In a few instances, we use marketing firms to raise awareness of Social Security’s online services, and this includes creating a my Social Security account. We allow these firms to send email directly to individuals. Any links you find within these emails should always point to a “.gov/” web address.
- Links, logos, or pictures in the body of an official Social Security email will always direct you to an official Social Security website. Rather than relying on the way a link looks, please follow these steps to confirm a link’s authenticity:
- To verify the web address of a link or picture, hover over it with your mouse until a text box appears with the web address. This is the actual address you will be directed to and it should always end in “.gov/” A forward slash should always follow the “.gov” domain.
- Example - http://www.ssa.gov/myaccount/
- Links to the official Social Security website will always begin with http://www.socialsecurity.gov/ or https://secure.ssa.gov/.
- Below are examples of fraudulent websites pretending to direct you to Social Security. Notice the location of the forward slash.
What should I do if I’ve received a phishing email pretending to be Social Security?
- If you are not certain that an E-mail you received came from Social Security or one of our marketing firms, DO NOT respond to the email or click on any links contained in the email message. Instead, navigate directly to the Social Security website, www.socialsecurity.gov/, and click on the my Social Security icon.
- Report the incident by forwarding the suspicious email to the U.S. Computer Emergency Readiness Team (US-CERT) at firstname.lastname@example.org. (http://www.us-nocert.gov/nav/report_phishing.html).
What are other tips I can use for detecting phishing emails?
- Verify the sender. Exercise caution when receiving email from a sender you don’t know or haven’t heard from in a long time. Hover over the ‘From’ email address to ensure it matches the displayed email or name of the sender.
- Look for poor choices in wording, phrasing, or spelling.
- If an email includes a business name, telephone number, or website link, verify the legitimacy of these items by searching for the official number or website in a search engine.
- Do not respond to emails requesting personal information. Reputable businesses and public agencies will not ask you for personal information in an email.
Are there other resources I can use to learn more about phishing?
For more information about "phishing," go to OnGuard Online.