The General Services Administration Office of Inspector General is aware that bad actors have used fake websites to steal user login credentials - such as username and password - for federal websites to commit fraud. These bad actors have persistently adapted and executed monetary fraud schemes in the private, public, and institutional sectors for several years.
The scheme
The bad actors create fake websites that mirror legitimate websites.
The bad actors use search engine ads to prioritize the fake websites, so when an individual searches for the legitimate website, the ad is the first clickable link.
The fake websites contain a username and password login portal that mirrors the legitimate websites.
Once a victim enters their login information into the fake website, bad actors capture the victim’s login credentials. The victim will not be routed further online and will often receive an “error message” on the internet.
The bad actors then use the victim’s credentials to login to the real website, often very quickly after initially capturing the credentials.
From there, the bad actors use the real website for their own monetary gain, such as by changing the victim’s bank account information to direct money to their bank account.
The bad actors have demonstrated the technical capability to capture the multi-factor authorization (MFA) codes sent to phones and emails in real-time or circumvent MFA in certain instances.
How to avoid becoming a victim of a fake website scam
- Carefully examine the domain name of sites you are logging into to make sure they match the official website. Fake sites often use domain names similar to official URLs or that may even contain the official URL, but with additional characters. For example:
- True government website: gsa.gov
- Fake website: gsa-gov.org
- Bookmark trusted websites instead of relying on search results.
- Ensure that the website address has a ".gov" extension at the end of it. Government websites in the United States exclusively use this domain extension.
- If the government website has a PIV login capability, utilize that method as often as possible as opposed to a username and password.
How to report fake websites and fraud
If you have identified or been victimized by a fake website scam for a federal agency website, report it to that agency’s Office of Inspector General. Go to https://www.ignet.gov/content/inspectors-general-directory for a list of agency Offices of Inspectors General and their hotlines.
Also report the incident immediately to the FBI’s Internet Crime Complaint Center at https://www.ic3.gov/default.aspx.
In addition, if you believe you are a victim of a fake website scam, consider
- Changing your password,
- Calling the help desk for the legitimate federal website, and
- Monitoring your bank account.
If you have information about fraud, waste, abuse, mismanagement, or other crimes or violations of federal laws, rules, and regulations relating to GSA programs and operations, including contracts, please report it to the OIG Hotline. You can submit your complaint at https://www.gsaig.gov/hotline.
