Full Report
An email reviewed by Scoop News Group and analyzed by Proofpoint reveals the latest attempt by fraudsters to capitalize on confusion over the Elon Musk-created group. The post Scammers have a new tactic: impersonating DOGE appeared first on CyberScoop.
Analysis Summary
# Tool/Technique: DOGE Impersonation Scam
## Overview
This is a social engineering tactic where threat actors impersonate the newly formed U.S. government unit, the Department of Government Efficiency (DOGE), established by Elon Musk, to solicit sensitive personal information (PII) from recipients, often under the guise of issuing tax refunds.
## Technical Details
- Type: Technique (Social Engineering/Phishing)
- Platform: Email, targeted platforms for PII collection (Web/Chat applications, PDF forms)
- Capabilities: Impersonation of a known government entity, persuasion using financial incentives (tax refunds), redirection to secondary communication channels.
- First Seen: Information suggests this is a "new tactic," observed around June 2025.
## MITRE ATT&CK Mapping
Since this is a specific campaign tactic centered on deception and information gathering rather than a specific malware tool, the mapping focuses on the adversarial actions:
- **TA0001 - Initial Access**
- T1566 - Phishing
- T1566.001 - Spearphishing Attachment (If a malicious PDF was sent)
- T1566.002 - Spearphishing Link (If the lure link was the primary vector)
- **TA0009 - Collection**
- T1119 - Automated Collection (If bulk data requests were automated)
- **TA0010 - Exfiltration** (Implied goal of collecting PII)
- **TA0005 - Defense Evasion** (Impersonating a legitimate entity to gain trust)
## Functionality
### Core Capabilities
- **Impersonation:** Pretending to be an "Agent Daniels" from the "DOGE Coordination Unit" or "Department of Government Efficiency."
- **Lure:** Claiming the recipient is eligible for tax refunds funded by recovered government expenditures.
- **Information Solicitation:** Directing victims to fill out a PDF form designed to collect Personally Identifiable Information (PII).
### Advanced Features
- **Channel Shifting:** Moving communication off standard email via a "lure link" to a secondary, less monitored platform (e.g., WhatsApp chat) to continue the conversation and pressure the victim.
- **Context Awareness:** Exploiting current news and high-profile government developments (the creation of DOGE) for successful rapport building.
- **Geographic Association:** IP addresses associated with the scheme were traced back to Southern Nigeria.
## Indicators of Compromise
- File Hashes: [Not specified in the article]
- File Names: [PDF form for refund, implied attachment in the initial email]
- Registry Keys: [None specified]
- Network Indicators: [No hardcoded C2 domain/IPs provided, but activity originated from IPs associated with **Southern Nigeria**]
- Behavioral Indicators: Emails with subject line "DOGE Community Access," sender claiming to be an agent from the "DOGE Coordination Unit" or "Division of Government & Economic Development," directing users to an external chat link (e.g., WhatsApp).
## Associated Threat Actors
- Fraudsters/Scammers capitalizing on DOGE publicity.
- Activity traced by Proofpoint, with network origins pointing towards actors in **Southern Nigeria**.
## Detection Methods
- Signature-based detection: [Not detailed, but traditional email signature rules for known DOGE keywords/structures could apply if signatures for this specific variant are developed.]
- Behavioral detection: Flagging emails concerning unexpected financial compensation from new/unverified government entities, especially those attempting to shift communication to chat apps.
- YARA rules: [Not available in the context.]
- *Specific Advice:* Federal employees advised by OPM to report suspicious emails through designated agency channels.
## Mitigation Strategies
- **Prevention:** Do not click on unknown links or open attachments from unsolicited emails, regardless of the sender's purported affiliation.
- **Hardening:** Agencies (like colleges, universities, transit entities, and government organizations) receiving widespread, non-targeted attempts should increase awareness regarding government impersonation scams related to current events (DOGE).
- **Verification:** Verify communications claiming to offer government benefits or request PII through official, known channels (e.g., calling the agency via an independently sourced phone number, not one provided in the suspicious email).
## Related Tools/Techniques
- Business Email Compromise (BEC) attacks (General category).
- Phishing campaigns leveraging recent news events or prominent figures (e.g., Elon Musk associations).