Permanently delete the OPM "buyout" email immediately

Among all the noise is a basic cybersecurity principal here. This email, like all others from hr[at]opm.gov, are not digitally signed. Most of you are probably aware that when you receive a signed or encrypted email, you need your PIV to view it. That is not the case for unsigned emails.

Therefore, someone with access to your agency's email infrastructure (authorized or not) could simply reply on your behalf. Today, tomorrow, next week, next year. Doesn't matter. Logs of such actions would exist but risk mitigation is the practice we should putting forth in this scenario. The sender didn't use standard protocols to secure this email and that puts you at risk.

It's not enough to report it as phishing or to delete it. Be sure to go to your trash/junk/spam/deleted folder and remove it from there as well.

*Edited to remove the reference to digitally signed emails requiring PIV auth to view as this is not the case at every agency. Regardless, the aforementioned advice still very much pertains.