What is Co-Managed Care for Veterans?

Scam Alert: Beware of Phishing

Military people are generally honest, straightforward people. We expect our words to be taken at face value, and we tend to project the same trustworthiness on other people. And unfortunately, we have too often fallen for a number of scams and shady practices.

One of the most common scams in the internet age is phishing: This is the practice of sending emails or other communications designed to dupe the victim into either sending money to the crooks, or into sending them confidential personal information. The crooks then use that information to open up fraudulent credit accounts in your name, or even raid your bank accounts and retirement accounts directly – leaving you with an empty shell.

Recent Scam Targeted DFAS Customers

For example – late in 2011, a number of military families reported receiving an email communication with the subject line, “Fwd: Payment Approval.” The email contained a Department of Defense seal (anyone can cut and paste a seal into their email), as well as something that appeared to be a case number from the Defense Finance and Accounting Service.

If you took a closer look at the email, though, you would discover that the return address didn’t go to a “*.mil” domain at all. Instead, the return email went to

Some variations of Phishing will redirect the victim to a convincing mockup of a genuine legitimate website. Some of the fakes are quite elaborate. The victim may know not to send sensitive personal information directly via email. But clicking on an emailed link may provide the victim with a false sense of security. The victim then enters the sensitive information directly onto the Web page.

Another version advises the service member to open an attached file. However, the file is really a virus that attacks the computer and allows the virus’s creator to access stored passwords and other sensitive information stored on the computer’s hard drive.

If the computer is on a network, other computers on the network could be targeted as well. In extreme cases, this could mean a major network security breach.

This is a screaming red flag, say DFAS officials. Indeed, DFAS recently reaffirmed its strict email policy:

  • DFAS will never send you an unsolicited email requesting your password, account numbers, or any other potentially sensitive information.
  • DFAS will never call you asking for that information, or simply to ‘update our records,” or “validate our database.”
  • DFAS will not send you an email attachment you have not specifically asked for.

This policy was specifically adopted by the Defense Finance and Accounting Service. However, the vast majority of reputable, legitimate financial institutions will have similar policies in place. Never respond to an unsolicited email, text or cell phone communication by providing sensitive information.

Protective Measures

You can take action to protect yourself and your own family by practicing personal OPSEC.

  • Ensure you have an anti-virus and anti-phishing program that updates automatically. This is important, because new viruses and threats emerge all the time. Anti-virus programmers are always improving their software to identify known security threats.
  • Your service may provide free or subsidized antivirus software, or you can purchase a common antivirus software solution such as Norton or MacAfee. If money’s tight, you can get a free self-updating anti-virus program from
  • Always look for an “https://” prefix at the beginning of the URL. This means that your browsing session is secure – though if only your login page is secure but not the rest of the site, your whole browsing session is possibly vulnerable.
  • Don’t enter personal information over public, unsecure Wi-Fi networks. Thieves equipped with “sniffers” that can pick up your transactions can use that information to rip you off.
  • Do your homework. You should know whom you are corresponding with, and whom you are doing business with.
  • Be on the lookout for sites that are just off, somehow. For example, they may contain spelling and usage errors, colors may be different from the usual branding or color schemes.
  • Passwords should be tough enough to be tough to hit with a lucky guess – but not so tough you have to carry around a laptop with a post-it note.
  • Don’t put passwords on your smart phone.
  • Don’t share passwords.
  • Don't use the same password for all your accounts. This is like having all your troops walk a patrol within a grenade burst range of each other. If they guess one password, they’ll have all of them at once.

If You Get Phished

If you do receive a phishing email, take the following actions:

If you think you fell for the scam, file a report with the Federal Trade Commission at

If the compromise involves a military computer, notify your unit leadership, S-6 or DOIMS (Department of Information Management Services) office immediately.

Share This