New Phishing Scheme Targeting Employees’ Direct Deposits

Print
Written by Patrick Nohe - Hashed Out Patrick Nohe - Hashed Out
Category: Latest News Latest News
Published: 27 September 2018 27 September 2018

Washington, DC - The FBI’s Internet Crime Complaint Center (IC3) has issued a warning about a phishing scheme that is targeting Americans’ direct deposits. So, if your paycheck gets routed directly to your bank account at the end of each pay period, be on the look out for any suspicious emails that are requesting your login credentials.

So far cybercriminals have targeted a number of different industries with this scheme, most prominently the healthcare, commercial aviation and education sectors.

Cybercriminals target employees through phishing emails designed to capture an employee’s login credentials. Once the cybercriminal has obtained an employee’s credentials, the credentials are used to access the employee’s payroll account in order to change their bank account information. Rules are added by the cybercriminal to the employee’s account preventing the employee from receiving alerts regarding direct deposit changes. Direct deposits are then changed and redirected to an account controlled by the cybercriminal, which is often a prepaid card.

So, what’s going on here and how can you make sure you, your coworkers and/or your employees don’t fall victim to it?

Let’s hash it out…

Social Engineering and You

We have come a long way since the days where Nigerian royalty would email you a poorly written plea for interim financial assistance in return for a larger payday down the road. Granted, those do still exist. I’m not sure if that’s just a continued shot in the dark or at what rate that scam ever converted, but it must not have been that good because phishing has evolved considerably over the past decade.

Nowadays cybercriminals leverage social engineering to create highly personalized emails that are intended to create a sense of urgency. Criminals have been known to scour LinkedIn and other social networks for information that can be used to make an email seem more convincing. This practice has become so refined that they’ve even nailed down what words most often illicit the desired action.

And they know what they’re doing. They know that a company’s own employees are often its greatest threat. They know that 70% of US employees don’t have a clue about cybersecurity best practices. They’re sending a high volume of these emails, too. 1 out of every 101 emails sent is malicious. The average US employee receives 16 malicious emails per month.

The point is this: cybercriminals know how to disguise their attempts to steal your data and defraud you. They have a lot of experience doing this and the stakes are low enough (there is little risk inherent) that they can be prolific in their attempts, too.

Without education, most people don’t stand a chance.

How can I prevent being scammed?

The FBI has provided nine pieces of advice in its warning, we’ll go through those and then supplement with a few of our own.

  1. Inform your employees about this specific situation. Use this as an opportunity to remind them about security best practices and also to go over any reactive plans in the event of an incident.
  2. Instruct your employees to examine any hyperlinks to ascertain the true URL (this can be done by hovering your mouse over the link) before clicking on anything.
  3. Instruct your employees never to provide login details or personal information via email.
  4. Direct your employees to forward any suspicious emails to the IT department.
  5. Don’t use the same credentials for payroll activities as you use for other things – this is basically a variation on don’t reuse passwords.
  6. Add an additional layer of scrutiny when an employee attempts to update account information or deposit credentials.
  7. Monitor employee logins, specifically look for any abnormal logins that occurred after hours or off-premises.
  8. Implement two-factor authentication for access to sensitive data and systems.
  9. Only let required processes run on systems that handle sensitive information.

If you wanted to go a step further, it’s not a bad idea to enact an organizational policy that says there is certain business that will never be handled via email. This could be difficult in larger companies, but if an employee knows that there are no conditions under which the company would ever email them about their direct deposit or an open enrollment period – or in regard to sensitive topics of that nature – it’s a lot easier to ferret out a fake.

Also, and this is the most important, if there’s ever any doubt about the legitimacy of an email, contact the supposed sender directly via something other than email. Unless you’re just racked by social anxiety, call them. If the email is legitimate they’ll tell you. If it’s not – and they have no idea what you’re talking about – you’ll know you’re being phished.

Regardless of all that, if you take anything away from this article, hopefully it’s this: if anyone emails you about an issue with your direct deposit contact your payroll department directly and definitely don’t share your login credentials or any personal information.

Otherwise your next check might end up in the pocket of someone halfway around the world.