New FBI report warns about current criminal campaigns targeting the payroll accounts of employees in a variety of industries.
Phishing email scams are still the number one tactic of these criminals. Once the criminals coerce the information from the employee they add new rules to the employees’ payroll account, then access their bank account information.
Rules are added by the cyber-criminal to the employee’s account preventing the employee from receiving alerts regarding direct deposit changes. Direct deposits are then changed and redirected to an account controlled by the cyber-criminal, which is often a prepaid card. – Federal Bureau of Investigation
The FBI suggests using 9 mitigation for these threats:
- Alert and educate your workforce about this scheme, including preventative strategies and appropriate reactive measures should a breach occur.
- Instruct employees to hover their cursor over hyperlinks included in emails they receive to view the actual URL. Ensure the URL is actually related to or associated with the company it purports to be from.
- Instruct employees to refrain from supplying log-in credentials or personally identifying information in response to an email.
- Direct employees to forward suspicious requests for personal information to the information technology or human resources department.
- Ensure that log-in credentials used for payroll purposes differ from those used for other purposes, such as employee surveys.
- Apply heightened scrutiny to bank information initiated by employees seeking to update or change direct deposit credentials.
- Monitor employee logins that occur outside of normal business hours.
- Restrict access to the Internet on systems handling sensitive information or implement two-factor authentication for access to sensitive systems and information.
- Only allow the required processes to run on systems handling sensitive information.
These suggestions are also listed on the FBI website. One thing these suggestions all have in common is Security Awareness Training. Most successful cyber-attacks occur at the end of user error or ignorance. The only way of successfully avoiding these breaches is to educate your workforce, and continually test them, which is a specialty of several cybersecurity and IT companies. There are other options to help mitigate the issues as well, and it would be wise to educate yourself as an employer or manager on these methods.
The FBI asks that you report any attacks like this and file a complaint, especially if it pertains particularly to this payroll attack, at their IC3 website here. To help combat these and other security threats, Queen Consulting and Technologies offers Security Awareness training, as well as many other ways of protecting your data, your personal information, and securing your computer systems. We strongly encourage you to ask us for a free security and breach analysis of your systems and network, a no strings attached Security Evaluation. Can you afford not to do it?