Phishing effort targets fed workers' retirement program
The Washington Post
WASHINGTON — Someone recently went on a phishing expedition to see whether federal employees would bite on a phony Thrift Savings Plan website, and the TSP — suspecting another federal agency — wants to know who dangled the bait.
The TSP, a 401(k)-style program available to federal civilian employees and military personnel, said Monday that it is investigating an email that made the rounds of federal employees last week directing them to a site with a variant spelling of the TSP's official site, www.tsp.gov.
The TSP suspects that the email started with an agency testing its workers' security awareness, because similar incidents have happened at least twice before, most recently in 2009, spokeswoman Kim Weaver said. The message spread among a number of agencies, triggering inquiries to the TSP about the phony site.
The site, apparently created by the email's original sender, has been taken down since the phishing message went out, and there is no indication that anyone's investment account was compromised, Weaver said.
The TSP posted a notice on its site Monday warning account holders that sites other than its own "may steal your login credentials when you enter them." Last year, the savings program issued a similar warning about third-party mobile device applications.
But the TSP is not certain that another agency launched the email. "What we're trying to do is backtrack to where it started," Weaver said.
If another agency is identified as the source, "we will send a really stern letter" and work within the government's financial and security communities to dissuade other agencies from doing the same.
"Our brand and people's trust is paramount," Weaver said. "We can't afford to have people misuse our brand in that way. Security awareness training is great stuff, but leave us out of it."