OSAC logo

Overseas Security Advisory Council
Bureau of Diplomatic Security
U.S. Department of State

610 all time - 14 last 7 days

Rewards for Justice Scam: Spoofing, Spear Phishing, and Security Implications


Since early August, malicious actors have made attempts worldwide to obtain personal data from the public using spear phishing attacks that impersonate official U.S. Government text messages or “spoof” tip lines misattributed to the Department of State’s Rewards for Justice Program. OSAC is aware of SMS-based spear phishing targeting specific foreign government employees, as well as tip line spoofing the Department that cast a wider net. Although the private sector is not a specific target of this campaign, it is very likely that private-sector employees could find themselves involved. Given the intrigue of international politics and diplomacy, the timely nature of issues such as cybersecurity and terrorism, and the involvement of large sums of money, even the most benign actions by an employee could open private-sector networks and information up for malicious action.

Background: What is RFJ?

The Department of State's Office of Rewards for Justice (RFJ) is a national security rewards program administered by the Diplomatic Security Service (DSS, also home to OSAC). Since its inception in 1984, the program has paid in excess of $150 million to more than 100 people around the world for providing actionable information that helped prevent terrorism, bring terrorist leaders to justice, and resolve threats to U.S. national security.

RFJ recently expanded beyond offering rewards for information on terrorism. Important to this context, Congress extended RFJ authorities in 2017 to include offering rewards for information on individuals or entities acting at the direction of a foreign government in violation of the Computer Fraud and Abuse Act (CFAA). This act criminalizes unauthorized computer intrusions and other forms of fraud related to computers. Persons engaged in certain malicious cyber operations targeting election or campaign infrastructure may be subject to prosecution under the law. Among other offenses, the statute prohibits unauthorized access of computers to obtain information. This reward offer does not cover disinformation activities, like trolling or creation of fake online personas, which do not violate the CFAA.

New Reward Leads to Defensive Russian Response, Cyber Scam Campaign

On August 5, Rewards for Justice began offering a reward of up to $10 million for information leading to the identification or location of any person who works with or for a foreign government for interfering with U.S. elections through certain illegal cyber activities that violate the CFAA. Due to the interconnected nature of communications and networks, RFJ’s is a worldwide campaign offered in multiple languages, including Arabic, Dari, English, Farsi, French, Korean, Mandarin, Pashto, Russian, Somali, Spanish, and Tagalog.

Also on August 5, State Department’s Global Engagement Center released a report on Russian disinformation and propaganda efforts titled, “Russia’s Pillars of Disinformation and Propaganda.” Subsequent to the award announcement, it appears that malignant cyber actors began their spear phishing and spoofing campaigns. Employees of a foreign government were the recipients of SMS-based spear phishing attempts impersonating the RFJ program. The message provided a URL that would open a WhatsApp chat to a phone number in the (424) area code, in/around the Los Angeles, and a second URL that would open a Telegram link to the spoofed State Department tip line, “@meddlinghotline.”

RFJ has previously used SMS text messaging to advertise its reward offers around the world. Although the bogus messages attempted to impersonate RFJ advertising, the authentic RFJ texts included links to RFJ’s official, verified, in-language social media accounts, which provided more information on the reward offer and RFJ’s contact information. The fake text messages would not necessarily have seemed out of the ordinary to foreign recipients used to or aware of RFJ digital advertising. Native English speakers might immediately have realized “@meddlinghotline” to be fake, but those unaware of the connotation of the word “meddling” may not have let that stop them. (This may well have been the result of poor translation, a common thread among electronic scams for decades.) Adding to the appearance of legitimacy was a coincidence that some recipients received the messages via the same number as legitimate Google two-factor identification tokens. These isolated instances, which could have served to legitimize the messages even among those savvy enough to understand cyber scams, were unfortunate but entirely coincidental.

RFJ has identified attempts to impersonate its tips lines, and advises global audiences to be cautious and careful to only contact tips lines posted to official (blue check marked) RFJ social media accounts.

Though the spoofed tip lines apparently involved only the Iran-focused RFJ efforts, the RFJ reward offer and Russian response came amid growing public U.S. initiatives to pressure Russia and other malign actors over their continuing attempts at elections interference and disinformation.

  • On July 15, the Secretary of State declared that he was “confident” foreign actors, including the governments of China, Iran, North Korea, and Russia would seek to interfere in the 2020 U.S. elections.
  • On July 24, the ODNI National Counterintelligence and Security Center released an unclassified public assessment of threats to the 2020 elections, which outlined some operations by the governments of China, Iran, and Russia to influence the elections. ODNI released an updated unclassified public assessment on August 7.
  • And on August 18, the Senate Intelligence Committee released the fifth and final volume of its report on Russian interference in the U.S. 2016 presidential election, detailing Russian cyber actors’ hack-and-leak tactics, techniques, and procedures. A Kremlin spokesperson criticized the report as “another in a series of paranoid reports” leading up to the election in November, but within two weeks, U.S. authorities uncovered the RFJ campaign.

What does this mean for the private sector?

Again, this is not an instance of direct private-sector targeting. However, besides inadvertent accessing of spoofed links and benign response to spear phishing attempts, there may be a higher likelihood of malicious intent involving organizations doing business in certain locations and within certain industries somehow of interest to the sponsor of these attacks. For instance, Russian entities may be more interested in targeting actors in Ukraine or the Baltic countries, whereas Chinese entities may have more interest in those operating in Hong Kong, Taiwan, or Southeast Asia. Either would likely have high interest in civil society organizations, including those focusing on international development, human rights, and democratization, but also on businesses whose trade secrets are of the most importance to their own national goals. For security managers in any of these organizations, and any others, it remains imperative to pass accurate cybersecurity information to their personnel, and to make them understand that even actions taken on private time, on private devices could have negative repercussions for their employers. Security managers and personnel alike should also know how to respond to suspected scams; in this case, you can report suspected problems directly to OSAC or RFJ.

What is a phishing attack?

Phishing attacks use electronic communications like email, text messages, and mobile chatting apps, along with malicious websites to solicit personal information by posing as a trustworthy organization. For example, an attacker may send email seemingly from a reputable credit card company or financial institution that requests account information, often suggesting that there is a problem. When users respond with the requested information, attackers can use it to gain access to the accounts. Attackers often take advantage of current events and certain times of the year, such as natural disasters, epidemics and health scares, economic concerns, major political elections, and holidays.

What are common indicators of phishing attempts?

  • Suspicious sender’s address: The sender's address may imitate a legitimate business. Cybercriminals often use an email address that closely resembles one from a reputable company by altering or omitting characters.
  • Generic greetings and signature: Both a generic greeting—such as “Dear Valued Customer” or “Sir/Ma’am”—and a lack of contact information in the signature block are strong indicators of a phishing email. A trusted organization will normally address you by name and provide their contact information.
  • Spoofed hyperlinks and websites: If you hover your cursor over any links in the body of the email, and the links do not match the text that appears when hovering over them, the link may be a spoof. Malicious websites may look identical to a legitimate site, but the URL may use a variation in spelling or a different domain (e.g., .com vs. .net). Additionally, cybercriminals may use a URL shortening service to hide the true destination of the link.
  • Spelling and layout: Poor grammar and sentence structure, misspellings, and inconsistent formatting are other indicators of a possible phishing attempt. Reputable institutions have dedicated personnel that produce, verify, and proofread customer correspondence.
  • Suspicious attachments: An unsolicited email requesting a user download and open an attachment is a common delivery mechanism for malware. A cybercriminal may use a false sense of urgency or importance to help persuade a user to download or open an attachment without examining it first.

What are common ways to spot fake social media accounts?

There are several simple ways to spot the more obvious fake social media accounts, including:

  • Grammatical, spelling, and punctuation errors in messages;
  • Suspicious usernames or handles;
  • Users with a high follower count, but low levels of engagement from followers; and
  • A lack of original content, but instead repeatedly pushing spam or other suspicious linked content.


For further information on Rewards for Justice, visit its official website or interact with one of its social media accounts. For further information on cybersecurity, including spear phishing and spoofing, contact OSAC’s Cyber Team, and consider the following resources:

Related Content



Error processing!