Threat actors continue to target pension plans and use social engineering tactics to initiate contact and appear legitimate. They may contact their targets by email, phone, text message, social media, or online advertisements and falsely claim to offer a “free” review of their pension plan savings with the promise of better returns. They may also attempt to obtain personal information, compromise pension plan accounts, update direct deposit information, and transfer or release funds to attacker-controlled accounts.

The NJCCIC received reports of pension plan help scams via phishing campaigns. For example, these phishing emails may claim that the targeted employee is eligible for a “no charge consultation” with a licensed representative as an employee of their respective organization. During the appointment, the purported representative will cover the potential monthly income, early retirement options, and other advice. The subject line includes the organization’s name followed by “Pension help.” The purported representative’s email signature contains an address pointing to a shipping and receiving storefront in Washington, DC. The phishing emails contain a link that, if clicked, directs the target to a fraudulent New Jersey Division of Pensions & Benefits (NJDPB) webpage to set up a pension review phone appointment. The target is prompted to set a date and time and provide contact information, such as name, phone number, and email address. If submitted, a scheduled meeting confirmation page appears with the option to add the calendar invite to the target’s calendar via Google, Outlook, or iCloud to appear legitimate. The fraudulent review call confirmation page also includes a link to the Zoom platform, which the legitimate NJDPB does not utilize.

Threat actors created fraudulent domains consisting of .com, .net, and .org Top-Level Domains (TLDs). Observed examples relating to this pension scam are:

• statepensionguides
• statepensionreviews
• statepensionplanner
• statepensionassist
• teacherpensionreviews
• teacherpensionhelper
• teacherspensionplans
• pension-review
• mynewjerseypensioneducation

Additionally, they included the state’s name or two-letter abbreviation in the domain names or appended it to the end of the domains, expanding the scam’s scope to include other states and causing a more widespread impact.

Recommendations

• Participate in security awareness training to help better understand cyber threats, provide a strong line of defense, and identify red flags in potentially malicious communications.
• Avoid responding to messages, clicking links, or opening attachments from unknown or unverified senders, and exercise caution with emails from known senders.
• Confirm the legitimacy of requests by contacting the sender via a separate means of communication, such as by phone, using contact information obtained from official sources before responding, divulging sensitive information, or providing funds.
• Navigate directly to legitimate websites and verify websites before submitting account credentials or providing personal or financial information.
• Use strong, unique passwords and enable multi-factor authentication (MFA) where available, choosing authentication apps or hardware tokens over SMS text-based codes.
• Reduce your digital footprint so that threat actors cannot easily target you.
• Report malicious cyber activity to the FBI’s IC3 and the NJCCIC.