If you think ESD is implementing best practices with security, think again after reading the analysis below. In fact, ESD is guilty of the very activity it is trying to guard and warn against.
Many individuals who have reported that they have been victims of imposter fraud through the WA State Employment Security Department are receiving email notices like the following, actual, email (click on image to enlarge):
Let’s examine ESD’s advice from the above image. ESD says:
“The email address we use will end with @esd.wa.gov or WashingtonESD@public.govdelivery.com. If you get any unemployment related correspondence from any other address, do not open or reply to it.”
The advice regarding “from any other address” certainly makes sense.
But, what if a phishing email shows up with “@esd.wa.gov” or “WashingtonESD@public.govdelivery.com” in the visible FROM field of the email? Fraudsters do this all the time, trying to trick recipients into thinking the email came from a legitimate source. Using someone else’s email address in the FROM field is called email address spoofing and there are articles all over the Internet about this. For example, Wikipedia has an article on email spoofing. Among the statements from that article:
MAIL FROM: – generally presented to the recipient as the Return-path: header but not normally visible to the end user, and by default no checks are done that the sending system is authorized to send on behalf of that address.
From: Joe Q Doe <firstname.lastname@example.org> – the address visible to the recipient; but again, by default no checks are done that the sending system is authorized to send on behalf of that address.
WA State even has a law that recognizes and bans spoofing: RCW 9A.90.070 Spoofing. Is this law going to stop fraudsters? Hasn’t yet.
So, let’s say you get an email from an address ending with “@esd.wa.gov” or “WashingtonESD@public.govdelivery.com”. It invites you to visit an official-looking web site where you enter your phone number and perhaps other identifying info.
At this point, you’ve been had.
Then you get a call from someone at the fraudulent website saying they are a member of “OSI from the Employment Security Department”.
There is no way to validate that the caller is really from OSI. ESD creates the same problem with its wording discussed below.
At this point, you’ve been had again!
The only secure way to communicate with ESD’s OSI is to call the number ESD posts on the website.
An email sent out June 8, 2020 has some interesting wording.
“ESD will ask you for information through official correspondence and your ESD eServices account. If we call you, you can ask the agents to identify themselves.”
“If we call you”? ESD wants us to answer a call from someone who claims to be an ESD employee? But banks, the IRS, Social Security, tell us all the time they will not call us and ask for personal information.
ESD is not following best security practices.
Here’s how a call might go:
“Hi. My name is John Smith. I’m calling from the Washington State Employment Security Department.”
“Great. Been waiting to hear from you folks.”
“Before we can move forward in resolving your application, I will need some additional information from you, including your Social Security number.”
“OK. But before we do that, I need for you to identify yourself.”
“Sure, no problem. My name is John Smith. I work for the Washington State Employment Security Department. My ID# is 19395954.”
“Oh, ok. So you need my Social Security number?”
“Yes, let’s start with that.”
“My Social Security number is 555-555-1111.”
See the problem with this? There is NO WAY for the recipient of the phone call to validate that the person calling really works for ESD.
In essence, ESD is helping applicants lower their guard against calls from fraudsters.
These two examples from ESD come after ESD was foolishly inviting people to send copies of their Social Security card and ID via email.