Email Security

    New Phishing Attack Targets Online Payroll Systems

    Using advanced cybersecurity technology and user education can help stem the flow of money into the wrong hands.

    by Matthew Gardiner

    Stealing money has been the obvious focus for cybercriminals for as long as cyberattacks have taken place, and this shows no signs of changing.

    According to new info from the US Federal Bureau of Investigation (FBI), business email compromise and email account compromise attacks resulted in the loss of over $12.5 billion between October 2013 and May 2018.

    Now, a particularly sophisticated social engineering attack delivered by phishing emails aims to add even more funds to the coffers of attackers.

    The FBI's Internet Crime Complaint Center (IC3) released a report of a new phishing attack aimed at stealing employees' login credentials to their online payroll accounts, according to Dark Reading

    These attacks start with a phishing email that leads employees to fake payroll processing web sites under the control of the attackers where they are prompted to login. These newly harvested credentials allows the threat actor to change the employees bank account data to one that is under the control of the attacker and to add rules so the victim doesn't receive alerts regarding direct deposit and other changes. From there, money is moved quickly to an account that can’t be reached by the banking system.

    To combat this kind of attack, the IC3 is recommending companies alert and educate employees and implement further preventative controls. According to Dark Reading, IC3 is suggesting users be aware that not all URLs in an email are what they appear and to be vigilant before clicking. They should also know not to provide personally identifiable information (PII) or any login information over email—to anyone.

    Why Attack Online Payroll Accounts?

    Because that is where the money is! These attacks targeting online payroll accounts are just further examples of cybercriminals using standard-operating-procedure to get at someone else’s money. Email-based phishing combining social engineering and web site fakery is proven to be one of the most effective ways for criminals to get paid. 

    And going after online payroll accounts makes a lot of sense as it is a direct line to a lot of easy money that someone might not notice for a while.

    How to Stop Payroll Account Attacks

    While the recommendations given by the IC3 are sound, it misses several key ones.

    Firstly, multi-factor authentication (MFA) should be used on all valuable or sensitive accounts such as this. Using MFA makes it much harder for attackers to steal and reuse credentials to execute an attack. 

    Second, while “instructing” employees to check out URLs before clicking them makes sense for technical people that understand what URLs are, for the regular “man-on-the-street” this is asking too much. 

    What is needed is a combination of better technical controls to detect and automatically protect against malicious impersonating web sites such as these and higher level of user education and awareness training to let people know that these types of attacks can and do occur, so that they can be more cautious.

    And finally, a clear best practice is that any change to an account should be logged and reported to the original address for that account. While the attacker maybe able to change the bank routing information and email address of the account, a notice of this change should always go to the original email or account address, outside of the control of whomever is controlling the account at that time.

    Subscribe to Cyber Resilience Insights for more articles like these

    Get all the latest news and cybersecurity industry analysis delivered right to your inbox

    Sign up successful

    Thank you for signing up to receive updates from our blog

    We will be in touch!

    Back to Top