David Bisson

David Bisson is an infosec news junkie and security journalist. He works as Senior Content Manager at Bora, Associate Editor for Tripwire's "The State of Security" blog, Contributing Editor for IBM's Security Intelligence, and Contributing Writer for Palo Alto Networks' Security Roundtable, Gemalto, Venafi, Zix Corp, AlienVault, Barkly and others.

Criminals Conducting Payroll Diversion Scams After Obtaining Employee Credentials

Online criminals are attempting to steal employees’ credentials in order to conduct payroll diversion scams.

On 18 September, the FBI’s Internet Crime Complaint Center (IC3) announced that it’s been receiving reports of a new type of ploy. The scam, which primarily targets the education, healthcare and commercial airway transportation industries, starts when online criminals send out standard phishing emails designed to steal employees’ online credentials. Once successful, the bad actors leverage their targets’ stolen details to access their payroll accounts and change the bank account information contained therein. The malefactors make two changes in particular:

1. The criminals set a rule so that their targets won’t receive account notifications, including alerts for changes to their direct deposit settings.
2. Nefarious individuals change their targets’ direct deposit settings so that all future payments will be sent to an account under their control, primarily a prepaid card.

Ryan Kalember, senior vice president of cybersecurity strategy for Proofpoint, said that bad actors will continue to innovate new attack campaigns leveraging phishing techniques such as those described above. He explained that nefarious individuals are drawn to these social engineering tactics because of email’s potential yield as an attack vector:

“This FBI alert emphasizes the shift in the cybersecurity threat environment: people are the targets,” Kalember noted in a statement. “As organizations move from old HR systems to new SaaS-based alternatives, cybercriminals can steal payments entirely from the cloud, all without compromising a single endpoint or network.

One well-crafted credential phishing email is all it takes to impersonate an employee and send a request to the payroll department, either asking for a paycheck to be rerouted to a new bank account or to reset payroll log-in details directly. The problem is that we trust email for these sensitive processes when email is an inherently unsecure channel. Email phishing attacks will continue to inundate trusted business systems because the attacks are cheap, easy, and can result in significant criminal payouts.”

Proofpoint recommends that consumers protect themselves against payroll diversion scammers by reviewing their accounts and verifying their credentials. The enterprise security firm also urges clients to check their bank accounts and confirm that their payroll checks are being delivered on a consistent basis. Finally, it urges consumers to not click on links within payroll emails and to contact the IT security if they suspect they have clicked on a phishing email.

Organizations can help protect their employees against a phishing attack by training their staff to spot suspicious emails. Part of this process involves balancing the people-process-technology equation. To achieve this, organizations need to instruct their financial teams to implement validation processes for when employees and suppliers change bank accounts. They must also use a multi-layered security strategy to block most methods of attack for computer criminals.

The best way for organizations to educate their employees is to conduct ongoing security awareness training with their employees using a variety of customizable phishing templates. Towards this end, companies could come up with their own phishing models. Or they could rely on a solution that allows them to customize their templates, identify potentially vulnerable employees and recommend additional training exercises for those workers.

Bring your anti-phishing program to the next level.