Phishing Email Purporting to be from DCSA Targets Clearance Holders
A few weeks ago, security clearance holders started getting emails that looked like they came from the Defense Counterintelligence and Security Agency (DCSA) that referenced the collection of information needed from them on an “SF-86F” (which does not exist) or SF86. In reality, it is a sophisticated malicious phishing email that did not come from DCSA, or any other vetting or Personnel Security entity in the U.S. Government or Department of Defense. In an attempt to trick the recipient, the link may be associated with an individual who is listed in the DOD phone or email directory, and in a few cases, that individual has turned out to be an actual security manager. IT security professionals acknowledge this email has a fairly high ability to potentially trick individuals because they may not know that an SF-86F does not exist.
The emails also arouse a sense of urgency using a quick suspense date to get people to act.
Here is an example of the phishing email DCSA posted on their notification about this issue on their website:
Due to a number of high profile spillages and intelligence leaks, all federal and DoD Contract employees are required to view the “DoD Reporting and You” powerpoint training and respond to a six question self-report addendum to their SF-86.
If your response is “yes” to any of the addendum questions, you will need to fill out a SF86_F form for each affirmative answer.
The training and addendum questionnaire can be found here: SF-86 Addendum (this is where the malicious link generally is).