Harrisburg, PA – The Department of Labor & Industry is advising organizations that interact with its Bureau of Workforce Development to be on the lookout for email messages impersonating staff. The messages contain links or attachments with malicious software that could infect computers or steal personal information.
"I want to emphasize that neither L&I nor the commonwealth have been compromised by hackers in any way," said Secretary Jerry Oleksiak. "Anyone who receives a potentially suspicious message should contact our employees through a separate email or phone call to confirm that it was sent by them."
Email "spoofing" is a common tactic used in spam and phishing attacks. The goal is to trick the recipient into believing the message is from someone they know and trust so they will provide personal information, open attachments or click on links.
While the origins of the issue are still unknown, it is believed an issue involving a third party allowed bad actors to obtain copies of legitimate email messages sent by L&I staff. The bad actors are now using the contents of these legitimate messages to construct fraudulent emails targeting L&I business partners. L&I and the Office of Administration are working with these third parties to try to identify the source of the issue.
Again, there is no evidence that any commonwealth systems or accounts have been compromised. There is also no evidence at this time of fraudulent emails being sent in relation to any unemployment compensation program administered by the department.
Although phishing emails are becoming increasingly sophisticated, there are potential warning signs to watch out for, including:
- Asking for personal information. Legitimate organizations will never send unsolicited emails asking for your personal and sensitive information.
- Generic Greetings. Be more cautious about email messages with a generic salutation such as "Dear customer" or "Dear member".
- Spoofed emails addresses and links. Use your mouse cursor to hover (do not click) over any links or email addresses. You should see a pop-up that shows the actual address.
- Small inconsistencies. Watch for red flags such as strange email addresses or slight misspellings in hyperlinks.
- Sense of urgency. Many phishing emails try to create a false sense of urgency in hopes that the user ignores telltale signs.
- Bad grammar or misspellings. Messages from legitimate sources are likely to be well-written and not contain obvious mistakes.
- Unknown sources. Never open attachments or links from people or companies that you do not know.
To learn more about how to protect yourself online, check out the Cybersecurity Guide on PA.gov at www.pa.gov/cyber.
MEDIA CONTACT: Sarah DeSantis, L&I, firstname.lastname@example.org
Dan Egan, OA, 717-772-4237