Email from OPM – is it the real deal?

Share This Page

Update (December 9, 2015): OPM discovered a second data breach that affects federal employees, contractors, and others. If you received a letter from OPM, please visit opm.gov/cybersecurity to learn more about what happened and to sign up for free identity protection services.

You just got an email saying your information was exposed in the OPM data breach. Wondering whether the email is the real deal or not? Here are a few things to look for:   

  • OPM will be sending most breach notifications by email between June 8 and June 19. The email will come from this address: opmcio@csid.com. If you get an email about the breach from a different address, then it’s a scam. Don’t click on any links or provide any personal information.
  • The real email from opmcio@csid.com will include your name, your PIN, a button to “enroll now” and information about the CSID Protector Plus program. If you prefer, rather than clicking the “enroll now” button, you can go directly to CSID’s website to enter your PIN and enroll.  
  • Here’s what to expect on CSID’s website: First, they’ll ask for your PIN or the last four digits of your Social Security number to make sure you are who you say you are. Next, if you choose to enroll in CSID's services you’ll be asked to provide additional personal information. 
  • OPM will not call you about the breach. If you get a phone call saying it’s OPM, then it’s a scam. Don’t provide any personal information. CSID, not OPM, is making all contacts about this breach. The contacts will be by email or US mail, not by phone. 

If you’re still unsure whether the email you got is real, check OPM’s website for more information and updates. If you think you’ve been tricked by a phishing email or a fake call, then file a complaint with the FTC and forward the email to spam@uce.gov.

Comments

why is the OPM using email for notification instead of physical mail? Physical mail is much more difficult and expensive to spoof. I am surprised that breach notification laws don't mandate physical mail notification to curb all of the post-breach secondary fraud.

Actually they are sending out physical mail. I just received a physical mailing today and found this website post trying to determine if it was legit. Problem is, those incompetent tools didn't include the full name on the letter so now I don't know if it is meant for my father or myself, both of which have held government jobs if the military counts. Regardless either way the letter instructs as an email could, to go to their website rather than providing an obscure link to somewhere else.

Go to opm.gov for the most current information.

OPM posted updated questions and answers on its website on June 18, 2015. OPM said that as of June 18, it didn't believe the breach announced on June 4 involved personnel records of active military personnel. 

OPM said the breach announced on June 4 did affect current and former Department of Defense civilian employees, but didn't affect contractors, unless they previously held Federal civilian positions.

I've never held a federal position, but I have worked for a defense contractor and I received a notification letter from OPM. Guess they changed that

There was also a typo "alsocontact" without a space. That made me suspicious so that's why I am researching...so far seems legit

I saw that too. Red flag for sure.

Got mine by mail last year.

I received my pin and registered as instructed. However, I had to restart my computer and lost all my data. Am I still protected or do I need to start a square one again?

If you have your notification letter and pin you could try enrolling for services.

If you lost your PIN code you can contact the OPM verification center at 866-408-4555 Toll Free.

Thanks for the info. Greatly appreciated.

Stuf out in my mail box all day for anyone to grab is NOT secure.

What does OPM stand for?

The Office of Personnel Management, the federal government’s personnel agency.

One is worried with so many cyber thieves, I've been trying to get a job at home to help my daughters and grandchildren. It's been difficult, pages are hard to trust. Thanks for your information.

How do we know we can trust OPM or this CSID service at this point? especially with them asking for information via email?

What if all of these scams were done to a person with a disability?,but kept as much documentation as possible...like phishing..hacked email...phone..computer..where could person who goes into severe panic attacks and can't..overwhelming for person who can help??

About that I am on disability and have never worked a government job or any job for that matter. Yet I got one of those letters. I called the number they provided and after entering my pin they asked me for my full name, social, address, and age. Things the letter explicitly told me NOT to give them. I'm confused now. How DO we know whether this is legit or a scam trying to trick us INTO giving out our identities?

AS USUAL GREAT INFO. THANKS JOSE SOTO

You have to be kidding that this is the response to the security breach. Email headers can be spoofed (so the opmcio@csid.com is useless), clicking on a link in email is phishing 101, and the domain csid.com can be hijacked. Using the compromised last 4 of the SSN is also foolish. This is not a solution!

Thank you, hunderliggur. Exactly what I was thinking.

For what it's worth, csid is using an SPF record for their domain, so only certain IPs are allowed to send email for their domain. It's not perfect, and not all email servers check for SPF records or drop emails that don't match. But it's a start.

Thank you for your due diligence!

Why is OPM forcing federal employees to provide PII to a contractor (yet another party) for protection? Someone should be fired for this and its time for a class action lawsuit.

I received this letter also but I am not sure if I should go to the CSID website and enter all my personal information. Law suit sounds about right, I have never been a federal employee. Don't understand were my information was pulled from??

Go to opm.gov for the most current information.

OPM maintains personnel records for the federal workforce, and it said that about 4 million current and former federal civilian employees were affected by the breach.

Those current and former federal workers will get notices from OPM. If you aren't a current or former federal worker,  but you got a letter asking for your personal information, the letter might be a scam. Go to the OPM website to learn more about who is affected and how OPM is notifying people.

I live in Spain & CS ID insisted that I have a US address in order to assist me. They wanted me to use a false address and then they could change it later! Why is the Government paying for this incompetence?

Another Outraged Fed

how does OPM even know which e-mail address to use? brilliant send a PIN to the ID thief who applied for and received tax refunds.

Because they either have your current work email or one you provided one when you retired.

Victim, you have it right on. If you have already been a victim of identity theft, someone has likely made up an email address with your name on it. So if your warning comes into an email it could well go to the hacker/thief and not you....hahahaha what a joke.
Mine was a letter, I likely had a background check for something, I am not a Govt employee or retired person. I wonder if this has to do with finding out poeple with conceled carry permit???

Possibly a relative who worked for the government had to list you.

I understand that CSID Protector Plus program will cover up to $1 million theft protection services. What if your personnel portfolio is grater than $1 million? Will CSID cover that loss as well?

The OPM website says you can get more information about CSID on the company’s website, (external link) and by calling toll-free 844-777-2743. International callers should call collect: 512-327-0705.

I have been locked out of my account and this toll free number doesn't work.

The Toll free # I got in my letter in the mail today is 1 800 750 3004??

Same number in my letter.

Please note that there were two data breaches. This blog was written about the first breach (personnel records). If you got a letter in December, it was probably about the second breach (background investigation records).

The OPM site (opm.gov) says that if you were affected by the second breach (background investigation records) you can go to the Cybersecurity Resource Center and select the “Sign up for services” button or call 800-750-3004.

Bridget, we all got that Cybersecurity Resource Center number. It doesn't help. It is not an OPM number. It just connects you to MyIDCare, and the person you talk to also wants your full social security number.

I was breached and I called the number of CSID instead of using email. I trust no one at this point.

Why would you trust them by phone??

i received a letter from OPM yesterday... no email.

opm say never give your personnal info on email or telephone, but this site the first thing is your birthday and ss numbers they need. I changed password on my important sites and write them down in my notebook next to my PC { and will not sent to lifepass} another site hacked this week

Is CSID any more secure than OPM? CSID is asking for and retaining even more information than OPM has.

I was asked to supply all types of personal info - drivers license #, med card id, I hope the hell I was scammed. the email address looked okay but wow that was a lot of info to share - now I am paranoid beyond belief!

Go to opm.gov for the most current information.

The OPM website says that if you enroll in CSID’s credit and identity monitoring you need to provide:

  • First Name
  • Last Name
  • Full Address
  • Date of Birth (used to activate Court & Criminal Record monitoring)
  • Social Security number (used to initiate credit monitoring)

You will also need to create a username and password to access your CSID account. Once you create an account, you have to  answer a set of authentication questions to validate your identity. The questions are related to information on your credit report. The question might be “With which financial institution do you have an auto loan?”

When I enrolled in the OPM CSID program,they asked for my social security number,is this part of their procedure?

Go to opm.gov for the most current information.

The OPM website says you can get more information about CSID  on the company’s website, (external link) and by calling toll-free 844-777-2743. International callers should call collect: 512-327-0705.

In general, if you want to get identity protection, you have to provide information to prove you are who you say you are. You might have to give your social security number and other information so they can locate the accounts you want them to monitor.

If they were able to send me the information and provide a PIN number why didn't all of my personal information automatically generate. I do not feel right inputting all of my personal information.

Exactly KB, this whole thing stinks. I'm out.

I agree. I received a letter today. I never applied for a federal job. Only a state job. Plus, I don't understand why I would have to enter my ssn on the site. it should already be linked to the pin.

The breech includes anyone who has had an extensive background done check as well. Not just government employees. This includes fingerprints!

Pages

Leave a Comment

Comment Policy

Read Our Privacy Act Statement

It is your choice whether to submit a comment. If you do, you must create a user name, or we will not post your comment. The Federal Trade Commission Act authorizes this information collection for purposes of managing online comments. Comments and user names are part of the Federal Trade Commission’s (FTC) public records system, and user names also are part of the FTC’s computer user records system. We may routinely use these records as described in the FTC’s Privacy Act system notices. For more information on how the FTC handles information that we collect, please read our privacy policy.