It’s been ten years already; can you believe it? I’m talking about the U.S. Census. It’s been ten years since the last one. Time to do it again. No, it wasn’t on my calendar either. To remind all of us and to encourage us to participate, the U.S. Census Bureau is spending $340 million to get the word out. There was even a Super Bowl ad.

The Census Bureau will not be the only ones trying to get our attention and encouraging us to help them collect data. Cybercriminals will be doing the same thing. But they’ll be trying to fool us into thinking they are the Census Bureau. And the data they’ll be collecting will be a little different. It will be personal information they can use to rip us off.

How do I know this? First, the census is a perfect dodge for cybercriminals. After all, people are already expecting to have to reveal personal information about themselves, and with a little bit of social engineering, criminals could easily use this as a springboard to victimize computer users. And second, in today’s threat landscape, spammers, scammers, and every other sort of online evil-doer seemingly jump all over every major (and even minor) event in an attempt to use social engineering to fool computer users into becoming their prey. 

Well, Symantec wants to beat them to the punch by warning you about the high likelihood of online scams involving the United States Census 2010. It really won’t be that hard to avoid the scams. It just takes a little bit of knowledge and a bit of common sense. Here’s what you need to know:
According to the U.S. Census 2010 website, the U.S. government will start mailing out census forms to every residence in the United States and Puerto Rico in March. For those U.S. residents who don’t mail the form back, a census taker might actually make an at-home visit to collect the information.

There are a couple of key words in this statement that I’d like to point out: “mail” and “at-home visit.” The census will primarily be a paper and pencil process, with, according to this section of the Census website, no part of the census form available to be filled out online. So, we encourage computer users to be very wary of any online communications—including emails and social networking messages—that they receive regarding the census, particularly any that ask them to click on a link or URL, open an attachment or respond with personal information, because these could very likely be scams. Even clicking on a link simply to see if it takes them to a legitimate site can be very hazardous, since many of today’s malware infections occur via drive-by download attacks, in which all a user does is simply visit a malicious or compromised website.

If you receive any online communication regarding the census, the best thing to do is simply give the U.S. Census Bureau a call and ask them to confirm that they sent you a message, or ask them to simply take care of the matter over the phone if possible. It’s also important to remember what types of questions will be asked as a part of the census. Doing so can help to further distinguish between legitimate communication regarding the census and attempts by criminals to steal sensitive information. Here’s a list of the questions you can expect to be asked as part of the census (from the U.S. Census 2010 website):

  • How many people were living or staying in this house, apartment, or mobile home on April 1, 2010?
  • Were there any additional people staying here April 1, 2010, that you did not include in Question 1?
  • Is this house, apartment, or mobile home: owned with mortgage, owned without mortgage, rented, or occupied without rent?
  • What is your telephone number?
  • Please provide information for each person living here. Start with a person here who owns or rents this house, apartment, or mobile home. If the owner or renter lives somewhere else, start with any adult living here. This will be Person 1.
    • What is Person 1’s name?
    • What is Person 1’s sex?
    • What is Person 1’s age and Date of Birth?
    • Is Person 1 of Hispanic, Latino, or Spanish origin?
    • What is Person 1’s race?
    • Does Person 1 sometimes live or stay somewhere else?

Note that at no point will anyone be asked to provide a social security number, any user names or passwords, and obviously no credit card numbers.

Here are a few key dates around the census that Symantec thinks could see an increase in related malicious activity. I encourage computer users to be extra vigilant on and around these dates:

  • Throughout March 2010: Census forms are mailed or delivered to households.
  • Around April 1, 2010: National Census Day—this day is intended to serve as a point of reference for sending completed forms back in the mail.
  • April – July 2010: Census takers visit households that did not return a form by mail.