New Phishing Attack Targets Online Payroll Systems

Stealing money has been the obvious focus for cybercriminals for as long as cyberattacks have taken place, and this shows no signs of changing.

According to new info from the US Federal Bureau of Investigation (FBI), business email compromise and email account compromise attacks resulted in the loss of over $12.5 billion between October 2013 and May 2018.

Now, a particularly sophisticated social engineering attack delivered by phishing emails aims to add even more funds to the coffers of attackers.

The FBI's Internet Crime Complaint Center (IC3) released a report of a new phishing attack aimed at stealing employees' login credentials to their online payroll accounts, according to Dark Reading. 

These attacks start with a phishing email that leads employees to fake payroll processing web sites under the control of the attackers where they are prompted to login. These newly harvested credentials allows the threat actor to change the employees bank account data to one that is under the control of the attacker and to add rules so the victim doesn't receive alerts regarding direct deposit and other changes. From there, money is moved quickly to an account that can’t be reached by the banking system.

To combat this kind of attack, the IC3 is recommending companies alert and educate employees and implement further preventative controls. According to Dark Reading, IC3 is suggesting users be aware that not all URLs in an email are what they appear and to be vigilant before clicking. They should also know not to provide personally identifiable information (PII) or any login information over email—to anyone.

Why Attack Online Payroll Accounts?

Because that is where the money is! These attacks targeting online payroll accounts are just further examples of cybercriminals using standard-operating-procedure to get at someone else’s money. Email-based phishing combining social engineering and web site fakery is proven to be one of the most effective ways for criminals to get paid. 

And going after online payroll accounts makes a lot of sense as it is a direct line to a lot of easy money that someone might not notice for a while.

How to Stop Payroll Account Attacks

While the recommendations given by the IC3 are sound, it misses several key ones.

Firstly, multi-factor authentication (MFA) should be used on all valuable or sensitive accounts such as this. Using MFA makes it much harder for attackers to steal and reuse credentials to execute an attack. 

Second, while “instructing” employees to check out URLs before clicking them makes sense for technical people that understand what URLs are, for the regular “man-on-the-street” this is asking too much. 

What is needed is a combination of better technical controls to detect and automatically protect against malicious impersonating web sites such as these and higher level of user education and awareness training to let people know that these types of attacks can and do occur, so that they can be more cautious.

And finally, a clear best practice is that any change to an account should be logged and reported to the original address for that account. While the attacker maybe able to change the bank routing information and email address of the account, a notice of this change should always go to the original email or account address, outside of the control of whomever is controlling the account at that time.