New phishing scam targets military users, DFAS warns

A new phishing campaign is targeting military service members, retirees and civilian employees receiving disability compensation, the Defense Finance and Accounting Service warns.

The e-mail scam dangles the prospect of additional disability compensation in an effort to get recipients to give up their personal information, according to a post on DFAS' website, which urged anyone receiving such an e-mail not to respond to it.

The e-mails, which appear to come from a DFAS employee, display a spoofed .mil e-mail address and say that recipients of disability compensation from the Veterans Affairs Department could also be eligible to get money from the IRS, DFAS said. The phishing scam asks recipients to submit their VA award letters, income tax returns, 1099-R forms and other documents to a supposed retired colonel in Florida.

Related stories:

To hackers, government users are phish in a barrel

5 ways to avoid getting caught in phishing scams

“Do NOT follow the suggestions in the e-mail,” DFAS warns, “because you will be providing a significant amount of your personal information to a complete stranger, which could result in a financial loss to you.”

Phishing campaigns of this type — offering money if you just give up your personal information — are fairly common around tax time, and phishing scams of all kinds are increasingly common in government circles, whether the goal is to compromise individuals’ financial information or to attack enterprises.

The U.S. Computer Emergency Readiness Team recently reported that phishing was the most common type of attack against government networks, accounting to 51.2 percent of attacks.

Scams can range from mass e-mailings to narrower targets, such as military recipients of disability payments, to specific individuals whose e-mail address and other information may have been taken in a network hack.

In February, intelligence analysis company Strategic Forecasting warned its government customers about a spear-phishing campaign that appeared to come from the company. The phishers were targeting account-holders whose information was taken in a hack by the group Anonymous, which then posted the information online. The Army also had warned Army Knowledge Online users about potential identity theft as a result of the hack.

The DFAS scam is another example of what government users and other individuals need to be on guard for. It’s worth remembering that the IRS and many other agencies never send people e-mails, especially not e-mails offering to give away money.
And people should always beware of any e-mail asking them to go to a link and submit personal information.

Also, phishers are getting better at spoofing e-mail and Web addresses, so it’s wise to avoid clicking on any link you’re not sure of. Hovering your mouse over a link will often, but not always, reveal whether a link is spoofed. When in doubt, security experts say, typing the address in manually, rather than clicking the link, can help you avoid being taken to a malicious site.


About the Author

Kevin McCaney is a former editor of Defense Systems and GCN.


  • Records management: Look beyond the NARA mandates

    Pandemic tests electronic records management

    Between the rush enable more virtual collaboration, stalled digitization of archived records and managing records that reside in datasets, records management executives are sorting through new challenges.

  • boy learning at home (Travelpixs/

    Tucson’s community wireless bridges the digital divide

    The city built cell sites at government-owned facilities such as fire departments and libraries that were already connected to Tucson’s existing fiber backbone.

Stay Connected