Wave Of Payroll Direct Deposit Phishing Attacks

Lexology had an excellent post from Ogletree Deakins by Rebecca J. Bennett and Danielle Vanderzanden, related to a crafty new phishing scam they warned about and that you should be aware of, because it has bad guys in real-time behind it, reinforcing the scam with quick answers via email.

These scams are affecting employers nationwide without regard to their payroll portals or payroll service providers:

"Employers beware: Companies are experiencing a wave of phishing scams that target employee paychecks.

Here is the scenario:
• An employee receives from a company email account e-mail that mimics a familiar and trusted company service or resource, such as an e-signature request or a request to complete a survey.
• The e-mail asks the employee to click a link, access a website, or answer a few questions.
• Then it directs the employee to “confirm” his or her identity by providing his or her complete log-in credentials. Skeptical employees who question the request via reply e-mail receive a prompt response purporting to verify that the employee should complete the steps contained in the link.
• The threat actors then use the employee’s log-in credentials to access payroll portals, reroute direct deposits to other accounts, and wreak other havoc upon the employer’s network.
In some versions of the scam, hackers access employee e-mails to request a password change from the employer’s payroll service and then use the new log-in credentials to change direct deposit instructions."

Bennett and Vanderzanden have the following recommendations:

"The threat actors are doing substantial due diligence on the social engineering side of things, and these e-mails look real. In many circumstances, they are effectively spoofing the sender’s account, and employers are learning of the scam when employees begin reporting that they did not receive their direct deposits. By then, the damage has been done.

In addition to diverting funds, the scam creates a data breach for the employer and triggers notification obligations. Failure to take prompt action may result in penalties and liability to unsuspecting employers.

Employers may want to immediately take the following precautions to avoid security breaches as a result of these phishing scams:
• Alert your workforce to this scam.
• Direct employees to forward any suspicious requests to the information technology or human resources departments, rather than replying to the e-mail.
• Instruct employees to refrain from supplying log-in credentials or personally identifying information in response to any e-mail.
• Ensure that log-in credentials used for payroll purposes differ from those used for other purposes, such as employee surveys.
• Enforce (or, where necessary, establish) multifactor authentication requirements.
• Review and update the physical, technical and personnel-related measures taken to protect your sensitive information and data."

This is a link to the original article:
https://www.lexology.com/library/detail.aspx?g=75685deb-06fc-4e47-a696-44843104f866

I suggest you send the following to your employees, friends, and family. You're welcome to copy, paste, and/or edit:

There is a new Direct Deposit phishing attack you need to watch out for. It's a sophisticated scam that starts with an official-looking email that asks you to click a link and access a website. Next, they ask you to confirm the data with your real username and password. Last, they use your info to access payroll portals, and reroute your direct deposit amounts to bank accounts owned by the bad guys. The lesson here is to never give anyone your credentials in response to an email... Think Before You Click!
Microsoft Confirms: Sending Simulated Phishing Attacks to Your Employees Is a Must

Well, Microsoft just legitimized the whole new-school security awareness training market!

I'm pleased to note that Microsoft has finally acknowledged that organizations need to send simulated phishing attacks to their employees with the announcement of a new feature called Attack Simulator. Part of its online Office 365 offering, Attack Simulater allows an email admin to send phishing attacks to determine how employees respond.

We consider the addition of Attack Simulator to Microsoft’s online Office 365 offering a win for our industry. In adding this feature, Microsoft has done what it always does: observe the market for innovative companies that create new markets, and then include a ‘checkbox’ feature with limited functionality so that their marketing can say: ‘Yes, we do that’.”

Old-school security awareness training doesn’t hack it anymore. More than ever, your users are the weak link in your network security

 

Written by:

Stu Sjouwerman
Founder and CEO
KnowBe4, Inc

Reblogged by: Stephen Taylor