To the Web-savvy, the emails are obvious “phishing” attempts. But these particular emails target an especially vulnerable population.
Sometimes, the emails offer fake job interviews conducted via Skype or Google Plus during which scammers try to glean Social Security numbers or bank account information.
Sometimes, the email schemes are more convoluted, asking recipients to cash what later turns out to be a counterfeit check to send back some of the money to the fraudsters.
To the Web-savvy, these are obvious “phishing” attempts, in which bad guys – many not all that skilled or sophisticated – try to conduct fraud or ferret out personal information with legitimate-seeming emails.
But these particular messages target an especially vulnerable population – veterans transitioning to civilian careers or otherwise looking for work.
Some suspect emails even appear to originate from reputable employers. And many of them mention where they turned up veterans’ contact information: a career site run by the Department of Veterans Affairs that allows employers to peruse veteran resumes.
“After viewing your profile on VA JOB PORTAL We feel you may be a good candidate for a position within our company,” reads one of the many similar-sounding scam emails seeking to ensnare veterans. A few of the messages even mention Vets.gov, the name of the recently redesigned and relaunched VA website that hosts the career site, by name.
But VA’s message to veterans: We feel your pain, but our website’s not to blame.
"There has never been a security breach,” said VA Chief Technology Officer and Vets.gov architect Marina Martin in an interview last month, when Nextgov first began looking into the phishing scams. “It's not that somebody downloaded a bunch of veteran emails. That has never been claimed or found.”
VA officials, like Martin, have also repeatedly maintained there’s been no indication any of the supposed companies that have emailed jobseekers actually obtained veteran email addresses, either by being granted access to the site or stealing the information through other means.
That’s the same thing Curtis Coy, the deputy undersecretary for economic opportunity in the Veterans Benefits Administration, told the House Veterans Affairs Committee last November when lawmakers requested an update on potential Vets.gov phishing scams brought to their attention.
When asked if the job site protected veterans’ personal information, Coy responded, “absolutely.” Later, he added he was “pretty confident” there hadn’t been a breach of the site.
“I don't think in the world of IT, anybody can say 100 percent confident, but we're pretty sure,” he said. “We've not seen any intrusions as of yet."
VA says the emails are the result of persistent scammers targeting a susceptible population – simply slapping the agency’s name on a garden-variety phishing email in an attempt to look legit.
“It's not connected to us,” Martin said. “It's not coming from a VA address. It's not linking to VA.”
But the problem has persisted – and may be growing.
In a March 9 blog post published by the agency’s Office of Information Security, officials wrote, “We’ve had veterans share with us several emails recently purporting to be from VA’s Vets.gov website and the Veterans Employment Center.” The post later added, “While it is unfortunate that anyone would try to take advantage of a veteran, tactics such as phishing are becoming more common.”
Securing the Site
Fears over the security of the veteran job site are ironic given that VA officials say they’ve actually taken pains to bake security into the site.
The Veterans Employment Center is a LinkedIn-influenced career site aimed at helping transitioning veterans look for job openings and making it easier for employers to seek out verified veterans. VA unveiled the site in April 2014 – as part of the agency’s eBenefits portal – but made substantial changes and relaunched it as part of the department’s new Vets.gov website, which rolled out last November. VA’s digital service team, about two dozen or so software engineers, coders and other experts, worked on the revamp under Martin’s watch.
Here’s how the site works: If you’re looking for a job, you create a public profile, which contains your education, previous employment, special skills, in what area of the country you’re looking for employment and a few other fields.
Your personal information isn’t actually stored on the site, though, Instead, it’s housed on the eBenefits portal, which is secured by the login credential developed by the Pentagon. About 25,400 veterans have signed up and created profiles on the site, Martin said.
“The veteran is entirely in control of what information is in that profile,” Martin said. “There's nothing about your Social Security number. There's actually no place to even enter it. There's nothing about a home address. There's nothing about a phone number."
Employers who want to be able to peruse veteran job profiles must be granted access first, and Martin said her staff manually vets employers seeking access to the site.
“They cannot contact veterans until they are manually approved by our staff, who confirms that that company is a real company,” Martin said. So far, about 15,300 employees have registered for and been granted access to the site.
And if a company previously granted access were found to be scamming veterans?
"We can revoke access at any time,” Martin said. But so far, she said, they’ve never had to even do that.
Every time members of her team learn of a phishing attempt, they double-check the database to make sure it hasn’t come from an approved employer.
“We have never found a match,” she said. “But if we were to find a match, we could immediately disable and delete that employer's account."
'I Think This is a Serious Issue’
The reports of email fraud first appeared to spike around the first of the year. The first report to mention the now-ubiquitous phishing scams on the Vets.gov feedback forum – where site visitors are encouraged to share their feedback on the new site – was submitted Jan. 6.
“I think I may be dealing with a job scam emailed to me through the VA job portal,” an anonymous user wrote.
The reports kept trickling in.
On Jan. 29, a Vets.gov forum user going by the handle, “Kevin,” wrote, “I have been continually receiving emails from a variety of ‘employers’ who state they have reviewed my resume and want me to set up a Google Hangout or Yahoo Chat to do an interview.”
He said he deleted all the emails even though they sometimes appeared to come from legitimate employers, adding: “I think this is a SERIOUS issue related to Vets.gov and should be addressed as such. I hate to do it, but if this continues, I will be discontinuing any and all of my relationships with Vets.gov.”
Another user that same day, going by the handle, “Jaime,” posted to the forum to say, “I am also being bombarded by scams like this.” Later that day, Jaime posted again: “I ultimately had to delete my account in order for these phishing scams to stop.”
Some of the users say the scams start as soon as they created a profile on the site.
“The minute I signed up with my resume on vets.gov, I had multiple hits from job scammers,” forum user “Phillip Ryan” wrote Feb. 8. “I am going to remove myself from this site because I am tired of my email getting clogged with these offers. This is a scam and ADMIN here needs to figure this out."
On Feb. 16, forum poster “Steve White” wrote, “After building a resume today, I have received four of these scams in the last three hours.”
A Problem on the Rise?
Despite the concerns aired on the forum, VA officials maintain there’s no indication scammers have actually viewed veteran profiles on the job site.
But why, then, do so many veterans on the VA forum report being scammed after signing up on the website – the very same day, according to some accounts.
Jobseekers typically search for openings on multiple websites, Martin said.
If you’re looking for work, “You're probably posting in lots of places,” she said. “You're probably putting your resume out in a lot of places. So, it's a little bit hard to triangulate back” to Vets.gov.
Hard data about the number of phishing scams like this targeting veterans – to quantify what appears to be a growing problem – is surprisingly difficult to come by.
VA says it reports every instance of suspected corporate fraud or phishing to the FBI. When Nextgov asked VA how many cases it had turned over for investigation by the FBI in recent months, a VA spokeswoman said the agency was still “synthesizing and validating data” on the number of cases reported by outside sources, such as veteran advocacy groups. The spokeswoman declined to say how many cases VA itself has brought to the attention of the FBI.
An FBI spokeswoman told Nextgov the law enforcement agency encourages victims to report all phishing attempts or other online scams using the Internet Crime Complaint Center so agents can spot trends and track cases. But it’s difficult to ascertain whether complaints are being forwarded by VA officials or the victims, themselves, because the bureau doesn’t maintain a list of complaints specifically flagged by VA officials or other federal agencies.
Still, the overall number of online scams involving veterans is spiking, according to FBI data.
In 2014, there were 576 incidents referencing “veterans” reported using the online complaint center. That climbed to 651 last year. As of the end of February, there had been 99 reported incidents, according to the data.
Nextgov has learned of at least one complaint involving the VA job site filed with the FBI by the financial planning company Edward Jones.
Emails purporting to come from the reputable financial services firm offered recipients bogus job offers and later asked them to deposit what would turn out to be fraudulent checks.
Edward Jones corporate spokeswoman Regina Deluca-Imral confirmed the company had contacted the FBI after it became aware “that certain organizations or individuals, posing as representatives of Edward Jones, have contacted potential job seekers with false job or employment-related communications and made false offers of employment with Edward Jones.”
‘Horrible and Unfortunate’
As for VA, is there some shiny new tech solution Martin and her team of digital whizzes could put in place? Probably not.
Martin said she’s met with other major job board websites to discuss best practices for combating phishing attempts. Their answer: Rather than implementing some new widget, stopping the tide of fraud is more about educating users on how to spot fishy emails and other tips to protect themselves online.
VA has posted notices on the job site alerting users to be cautious about too-good-to-be-true job offers or any emails from employers seeking personal information. The agency has rolled out a public-awareness campaign “More Than a Number,” containing tips for identity-theft prevention.
The latest complaint about Vets.gov phishing emails was posted March 17, describing a series of emails that sought to set up a bogus job interview via Google Chat. Martin’s team responds to every message on the forum that mentions the phishing scams, directing users to identity-theft prevention tips.
Does it ever irk VA officials to have their website blamed for what seems to be a more widespread issue?
"Whether or not we have a jobs portal, it's part of our responsibility to help veterans understand what phishing is and how they can protect themselves,” Martin said, “because this would happen regardless of whether we, VA, had any website at all of any kind, which is horrible and unfortunate."