Following the data breach of current and former federal employees, including with the NCUA, security experts are questioning whether email notifications put potential fraud victims at higher risk.
The Office of Personnel Management announced on its website, "Beginning June 8 and continuing through June 19, OPM will be sending notifications to approximately four million individuals whose personally identifiable information was potentially compromised in this incident. The email will come from [email protected] and it will contain information regarding credit monitoring and identity theft protection services being provided to those Federal employees impacted by the data breach." Those without emails on file will receive snail mail letter notifications, OPM said.
A number of cybersecurity experts are perplexed about the government's utilization of email notifications.
"There is certainly a high risk that one of these emails will be leaked publicly and then copied by phishers. In fact, smart phishers will start sending their own campaigns now," Dave Jevans, founder of both the Menlo Park, Calif.-based Marble Security and the Anti-Phishing Working Group, said. The APWG is a global consortium made up of technology, law enforcement and government leaders fighting electronic crime.
These OPM notifications can certainly be crafted into second-wave phishing attacks to "update employees" on new developments in the breach, Jevans pointed out. For example, a phishing email might read, "We now offer you identity theft protection, please log into this OPM-sponsored portal and enter your email address and a password, and your personal information."
"OPM must be very savvy about their communication email," Jevans added. "Obviously embedding links into the email must be done carefully, or not at all. He suggested OPM might want to consider putting a copy of the email on their website so employees can read without reliance on the one sent to them.
"Our government is hoovering up massive amounts of data, and at the same time doesn't seem able to protect this information against foreign hackers," Stu Sjouwerman, founder/CEO of the Clearwater, Fla.-based Knowbe4, who regularly speaks about the security risks presented by social engineering, cautioned. "Next, they promise to send emails to notify the employees affected by the theft of their personal information. That again is risky because exposed employees now expect this email and cyber criminals can now exploit that expectation with [spear] phishing attacks. This is a recipe for disaster."
Personalized phishing, or spear-phishing, attacks, in which cybercriminals send emails designed to fool recipients into revealing sensitive information and/or downloading malicious software, often emerge following major hacks.
Recent research sponsored by KnowBe4 shows email phishing attacks are now the No. 1 source of data breaches with human error at the core. The study shows 67% of respondents say malware penetrated their corporate networks through email, with web surfing a close second at 63%. Another 23% say malware has infiltrated their networks but they still don't know how.
OPM itself warned about phishing scams in suggestions about how to "avoid becoming a victim" following the breach announcement.
"Because their personal data was compromised by the malicious actors, it is possible that their email accounts might already be compromised as well," Ondrej Krehel, founder/principal of LIFARS, a digital forensics and cybersecurity intelligence firm, said.
Krehel explained it is easy for cyberthieves to generate lists of possible passwords based on the stolen data.
"They can then use those to log in to the email accounts and prevent the users from ever seeing the email notification – enabling them to use the stolen information to commit fraud," he said.
© 2025 ALM Global, LLC, All Rights Reserved. Request academic re-use from www.copyright.com. All other uses, submit a request to [email protected]. For more information visit Asset & Logo Licensing.
Roy Urrico
Roy W. Urrico specializes in articles about financial technology and services for Credit Union Times, as well as ghostwriting, copywriting, and case studies. Also: writer/editor of a semi-annual newsletter for Association for Financial Technology since 1997 and history projects funded by the U.S Interior Department, National Park Service and Warren County (N.Y.).
