Using advanced cybersecurity technology and user education can help stem the flow of money into the wrong hands.

Stealing money has been the obvious focus for cybercriminals for as long as cyberattacks have taken place, and this shows no signs of changing.

According to new info from the US Federal Bureau of Investigation (FBI), business email compromise and email account compromise attacks resulted in the loss of over $12.5 billion between October 2013 and May 2018.

Now, a particularly sophisticated social engineering attack delivered by phishing emails aims to add even more funds to the coffers of attackers.

The FBI's Internet Crime Complaint Center (IC3) released a report of a new phishing attack aimed at stealing employees' login credentials to their online payroll accounts, according to Dark Reading

These attacks start with a phishing email that leads employees to fake payroll processing web sites under the control of the attackers where they are prompted to login. These newly harvested credentials allows the threat actor to change the employees bank account data to one that is under the control of the attacker and to add rules so the victim doesn't receive alerts regarding direct deposit and other changes. From there, money is moved quickly to an account that can’t be reached by the banking system.

To combat this kind of attack, the IC3 is recommending companies alert and educate employees and implement further preventative controls. According to Dark Reading, IC3 is suggesting users be aware that not all URLs in an email are what they appear and to be vigilant before clicking. They should also know not to provide personally identifiable information (PII) or any login information over email—to anyone.

Why Attack Online Payroll Accounts?

Because that is where the money is! These attacks targeting online payroll accounts are just further examples of cybercriminals using standard-operating-procedure to get at someone else’s money. Email-based phishing combining social engineering and web site fakery is proven to be one of the most effective ways for criminals to get paid. 

And going after online payroll accounts makes a lot of sense as it is a direct line to a lot of easy money that someone might not notice for a while.

How to Stop Payroll Account Attacks

While the recommendations given by the IC3 are sound, it misses several key ones.

Firstly, multi-factor authentication (MFA) should be used on all valuable or sensitive accounts such as this. Using MFA makes it much harder for attackers to steal and reuse credentials to execute an attack. 

Second, while “instructing” employees to check out URLs before clicking them makes sense for technical people that understand what URLs are, for the regular “man-on-the-street” this is asking too much. 

What is needed is a combination of better technical controls to detect and automatically protect against malicious impersonating web sites such as these and higher level of user education and awareness training to let people know that these types of attacks can and do occur, so that they can be more cautious.

And finally, a clear best practice is that any change to an account should be logged and reported to the original address for that account. While the attacker maybe able to change the bank routing information and email address of the account, a notice of this change should always go to the original email or account address, outside of the control of whomever is controlling the account at that time.

Want more great articles like this?Subscribe to our blog.

Get all the latest news, tips and articles delivered right to your inbox

You may also like:

How Lack of Training is Hurting Your Cyber Resilience Strategy

Get the facts about the lack of training…

Get the facts about the lack of training around cybersecurit… Read More >

Bob Adams

by Bob Adams

Product Marketing Manager - Security

Posted Aug 15, 2018

Is Moving to the Cloud the Right Time to Rethink Your Email Security S…

Here’s what to think about when co…

Here’s what to think about when considering an Office … Read More >

Jake O'Donnell

by Jake O'Donnell

Global Editorial Content Manager

Posted Aug 22, 2018

August ESRA Report: Incumbent Email Security Systems Missed 200,000 Ma…

Learn more in Mimecast’s latest Email Se…

Learn more in Mimecast’s latest Email Security Risk Assessme… Read More >

Matthew Gardiner

by Matthew Gardiner

Director of Product Marketing

Posted Aug 28, 2018