Email from OPM – is it the real deal?

Update (December 9, 2015): OPM discovered a second data breach that affects federal employees, contractors, and others. If you received a letter from OPM, please visit opm.gov/cybersecurity to learn more about what happened and to sign up for free identity protection services.

You just got an email saying your information was exposed in the OPM data breach. Wondering whether the email is the real deal or not? Here are a few things to look for:   

  • OPM will be sending most breach notifications by email between June 8 and June 19. The email will come from this address: opmcio@csid.com. If you get an email about the breach from a different address, then it’s a scam. Don’t click on any links or provide any personal information.
  • The real email from opmcio@csid.com will include your name, your PIN, a button to “enroll now” and information about the CSID Protector Plus program. If you prefer, rather than clicking the “enroll now” button, you can go directly to CSID’s website to enter your PIN and enroll.  
  • Here’s what to expect on CSID’s website: First, they’ll ask for your PIN or the last four digits of your Social Security number to make sure you are who you say you are. Next, if you choose to enroll in CSID's services you’ll be asked to provide additional personal information. 
  • OPM will not call you about the breach. If you get a phone call saying it’s OPM, then it’s a scam. Don’t provide any personal information. CSID, not OPM, is making all contacts about this breach. The contacts will be by email or US mail, not by phone. 

If you’re still unsure whether the email you got is real, check OPM’s website for more information and updates. If you think you’ve been tricked by a phishing email or a fake call, then file a complaint with the FTC and forward the email to spam@uce.gov.

Comments

why is the OPM using email for notification instead of physical mail? Physical mail is much more difficult and expensive to spoof. I am surprised that breach notification laws don't mandate physical mail notification to curb all of the post-breach secondary fraud.

Actually they are sending out physical mail. I just received a physical mailing today and found this website post trying to determine if it was legit. Problem is, those incompetent tools didn't include the full name on the letter so now I don't know if it is meant for my father or myself, both of which have held government jobs if the military counts. Regardless either way the letter instructs as an email could, to go to their website rather than providing an obscure link to somewhere else.

Go to opm.gov for the most current information.

OPM posted updated questions and answers on its website on June 18, 2015. OPM said that as of June 18, it didn't believe the breach announced on June 4 involved personnel records of active military personnel. 

OPM said the breach announced on June 4 did affect current and former Department of Defense civilian employees, but didn't affect contractors, unless they previously held Federal civilian positions.

I've never held a federal position, but I have worked for a defense contractor and I received a notification letter from OPM. Guess they changed that

There was also a typo "alsocontact" without a space. That made me suspicious so that's why I am researching...so far seems legit

I saw that too. Red flag for sure.

Got mine by mail last year.

I received my pin and registered as instructed. However, I had to restart my computer and lost all my data. Am I still protected or do I need to start a square one again?

If you have your notification letter and pin you could try enrolling for services.

If you lost your PIN code you can contact the OPM verification center at 866-408-4555 Toll Free.

Thanks for the info. Greatly appreciated.

Pages

Leave a Comment

Comment Policy

Read Our Privacy Act Statement

It is your choice whether to submit a comment. If you do, you must create a user name, or we will not post your comment. The Federal Trade Commission Act authorizes this information collection for purposes of managing online comments. Comments and user names are part of the Federal Trade Commission’s (FTC) public records system, and user names also are part of the FTC’s computer user records system. We may routinely use these records as described in the FTC’s Privacy Act system notices. For more information on how the FTC handles information that we collect, please read our privacy policy.