Phishers Targeting Your Tax Dollars
A new phishing scam is targeting debit-card accounts used to deliver government
benefits payments in 15 states.
E-mails, phone text messages and so-called "vishing" voice-mail messages
ask recipients to confirm or update EPPICard account data, directing them to
a phony Web site. Once the scammers have gathered the account information, they
can drain money from the benefits account.
"They are apparently targeting government payments" such as food stamps and
child support payments, said Marc Salomon, a researcher at Cloudmark, an anti-spam
company in San Francisco that noticed the attacks earlier this month. "It is
the taxpayer who is footing the bill," he said, because the compromised accounts
are held by states, not financial institutions.
EPPICard is a magnetic-stripe debit card branded by MasterCard or Visa to access
benefits accounts. The cards are used by Florida, Georgia, Illinois, Indiana,
Mississippi, Nevada, New Jersey, New York, North Carolina, Ohio, Oklahoma, Pennsylvania,
Texas, Utah and Virginia. Each state uses the card to deliver the types of benefits
payments it chooses. When a payment has been credited to the account, the holder
uses the debit card for purchases and the payment is deducted from the account.
Holders also can get cash back from a purchase and withdraw cash at banks and
automated teller machines.
The e-mails apparently come from the address firstname.lastname@example.org and
direct victims to a phony Web site. "They are hosted on servers around
the world," Salomon added.
EPPICard has posted a warning on its Web site of phishing and vishing attacks.
"We will never request your personal information, such as a Social Security
number, card number or PIN through any of these methods," the company
Cloudmark has spotted about 20 of the phishing e-mails and said that number
is probably just the tip of iceberg. There is no indication the e-mails are
specifically targeting EPPICard users, said Adam O'Donnell, Cloudmark's
director of emerging technology. But he said this type of attack against a niche
target is likely to become more common as larger targets such as banks and services
such as PayPal become over-phished.
William Jackson is the senior writer for Government Computer News (GCN.com).