[BreachExchange] Diverting Employees’ Payroll Direct Deposits: The Latest Wave of Phishing Scams

Audrey McNeil audrey at riskbasedsecurity.com
Wed Jan 31 20:41:40 EST 2018


Employers beware: Companies are experiencing a wave of phishing scams that
target employee paychecks. Here is the scenario: An employee receives from
a company email account e-mail that mimics a familiar and trusted company
service or resource, such as an e-signature request or a request to
complete a survey. The e-mail asks the employee to click a link, access a
website, or answer a few questions. Then it directs the employee to
“confirm” his or her identity by providing his or her complete log-in
credentials. Skeptical employees who question the request via reply e-mail
receive a prompt response purporting to verify that the employee should
complete the steps contained in the link. The threat actors then use the
employee’s log-in credentials to access payroll portals, reroute direct
deposits to other accounts, and wreak other havoc upon the employer’s
network. In some versions of the scam, hackers access employee e-mails to
request a password change from the employer’s payroll service and then use
the new log-in credentials to change direct deposit instructions.

The threat actors are doing substantial due diligence on the social
engineering side of things, and these e-mails look real. In many
circumstances, they are effectively spoofing the sender’s account, and
employers are learning of the scam when employees begin reporting that they
did not receive their direct deposits. By then, the damage has been done.

In addition to diverting funds, the scam creates a data breach for the
employer and triggers notification obligations. Failure to take prompt
action may result in penalties and liability to unsuspecting employers.

These scams are affecting employers nationwide without regard to their
payroll portals or payroll service providers.

Employers may want to immediately take the following precautions to avoid
security breaches as a result of these phishing scams:

- Alert your workforce to this scam.
- Direct employees to forward any suspicious requests to the information
technology or human resources departments, rather than replying to the
- Instruct employees to refrain from supplying log-in credentials or
personally identifying information in response to any e-mail.
- Ensure that log-in credentials used for payroll purposes differ from
those used for other purposes, such as employee surveys.
- Enforce (or, where necessary, establish) multifactor authentication
- Review and update the physical, technical and personnel-related measures
taken to protect your sensitive information and data.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.riskbasedsecurity.com/pipermail/breachexchange/attachments/20180131/275b084f/attachment.html>

More information about the BreachExchange mailing list