By Walt Westfall, Director of IT Transformation, cStor
Hey folks… it’s not about you; it’s now about your Direct Deposit.
Did you know more than 82% of the U.S. workforce gets their hard-earned dollars via direct deposit into their favorite financial institution account?
More importantly, that’s how my employer provides me my compensation!
Beware fellow employees. Our beloved payroll process is being exposed to a new wave of phishing scams that specifically target our paychecks. Worse yet, these cunning scammers are actually moving our direct payroll deposits from our financial institution to their own banks and accounts.
Let me underscore: this is a REAL cybersecurity scam and a tremendous threat!!
If this ever has happened to me personally, here is how it would likely happen . . .
- I would get an email from a company email account that mimicked a familiar and trusted company service (note that it could have also been an e-signature request or a request to complete a survey).
- The e-mail asked me to click a link, which I did, because I know I have security software that has a chance of stopping a cyber-attack via email. The email might have instead asked me to visit a website or answer a few survey questions. Good thing I’m way too smart to fall for that ploy.
- Then, it directed me (as the “employee”) to “confirm my identity” by providing my log-in credentials.
- I’m a cautious and skeptical employee, so I questioned the request via a reply e-mail.
- I then received a prompt response purporting to verify that I should complete the steps contained in the link. Of course, when you get such a quick reply to your reply, it’s an automated response in their attempt to get you to fall for the cyber-attacker’s initial scheme.
Of course, I didn’t fall for it… but many people likely will because of the sophisticated spoofing techniques to craft emails that appear to be legitimately from your own company.
As of this post, I’m still not quite sure how they did it. However, I do know that the threat actors would then use my log-in credentials to access payroll portals, reroute direct deposits to other accounts and wreak utter havoc upon my employer’s entire network.
In some versions of the scam, hackers access employee e-mails to request a password change from the employer’s payroll service and then use the new log-in credentials to change direct deposit instructions.
If you’re good with that, then no need to read on.
Hopefully not! So back to reality…
It’s interesting that threat actors are doing substantial due diligence on the social engineering side of things to make these e-mails look real. In many cases, they are spoofing the sender’s account. Employers are learning of the scam when employees begin reporting that they did not receive their direct deposits. Talk about a mess.
In addition to diverting funds, the scam creates a data breach. Can you say, “RUH-ROW!?” Failure to take prompt action may result in penalties and liability to unsuspecting employers. And given the litigious nature of our society today, I can only imagine what else might ensue.
It’s important to note that these scams are affecting employers and employees nationwide without regard to what payroll portals or payroll service provider they use. Employers and employees should take immediate precautions to avoid security breaches as a result of these phishing scams.
Here are our best recommendations based on what we currently know:
- If you are an employer, immediately alert your workforce to this scam.
- If you are an employee, alert your employer.
- You could forward any suspicious requests to the information technology or human resources departments if you want. I tend to delete them.
- It might be a good time to remind employees to refrain from supplying log-in credentials or personally identifying information in response to any e-mail. Just saying . . .
- Enforce or, where necessary, establish multifactor authentication.
- As a last suggestion, review and update the physical, technical and personnel-related measures your company has in place to protect your sensitive information and data.
So, what’s the moral to the story?
Never give anyone your credentials in response to an email? Yes. Keep your passwords hidden in a file on your PC? Maybe not.
How about, “Think Before You Click!” And, notify your employer as quickly as possible.
Oh, and GOOD LUCK! It’s getting tougher and tougher out there!