Official websites use .mil
Secure .mil websites use HTTPS
By Tobi Beck and Stephen Hickok
DCMA Public Affairs
FORT LEE, Va. — From extortion and phishing to identity theft and hacking, cyber criminals target personal information with innovation and variance. In today’s online world, digital security protects more than bank account numbers. Just about everything is captured on the internet, which means having an understanding of threats and how to protect against them remains vital.
In this new computer-safety series, Tobi Beck, Defense Contract Management Agency’s Information Technology Directorate's chief of strategy, planning, and governance, shares tips for the DCMA workforce to stay up to date and computer safe in this ever evolving digital environment.
I nearly got scammed over the holidays. Like many of you, I have had many packages arriving at my doorstep, a common situation that is being used to take advantage of unsuspecting individuals. The scam was clever. First, I received a text message that read: “[U.S. Postal Sercive] Undeliverable Luggage and Packages. Please check https://www.trackingb2sy0.com.”
It looked authentic, but being in the IT world, I know that the first rule to protect yourself online is to never click on an emailed link.
As an IT specialist, I have access to a computer system used for examining suspect sites, so I typed in the URL. It took me to a website that looked like it was from the United States Postal Service. I’ve been to the real USPS website before and everything looked right. But then I noticed it, the tracking number was in there. How did they get the tracking number for my package when I didn’t put it in the search bar?
I copied the tracking number and went to the actual USPS.com web page and put it in. Nope, they don’t have that number. Then I took a closer look. On the email linked page, the links all directed back to the original fake page, which asked for my personal information before letting me go any further.
If you haven’t noticed before, when you take your curser and hover over a tab or link on a web browser, the link address should show up in the bottom left of your screen (this may vary based on your internet browser and user settings). This is a preview so you don’t have to actually click on it to see where it will take you.
The copyright mark on my scam emailed page was listed as 2021, yet the real USPS page has already updated to 2022. I used an inspection tool to look at the code on the scam page and found that it linked to the real USPS fonts, style and layout in order to mimic the real one, but all of the links were broken. This isn’t a step most people will be able to look for, but it confirmed to me that the page was 100% fake.
The purpose of this scam is an attempt to get your information in order to sell it and hopefully get you to buy into other scams in the future. The more they know about you, the more likely you are to believe it is real, and give them more access to your personal information. For instance, if you filled out the form above, you may later receive a scam email asking for bank account information. And now, with what they already have, they may try to prove to you that they are from your bank by sending a text to your phone number that they “have on file” for you. These scams are used to not only steal your money, but also collect information to sell to other cyber criminals.
I hope you will learn from my experience and use these rules to keep you safe online:
The key thing to understand is that your information is valuable and people will try to collect and sell it. Sometimes all they want to do at first is to gain your trust in order to get more information from you. But eventually, they could collect enough information that you may believe they represent your bank, a place you have shopped, or some other organization in order to gain access to your money or your identity.
Until the next article, stay safe out there.
Media Relations: 804-821-8036
FOIA Requests: 804-609-4533
Download the DCMA Media Kit (PDF)