Payroll Diversion Warning

Payroll Diversion Warning

In September the FBI released an announcement to alert organizations of cyber criminal activity targeting online payroll systems of various industries including education, healthcare and commercial air transportation.

These targeted attacks consisted of phishing e-mails sent to employees in an effort to collect their login credentials. After obtaining credentials the attacker attempted to log in to the organizations web mail servers as well as on the online payroll system. Once in the mailbox of the victim the attacker created automated rules to automatically delete mail containing keywords such as ‘Human Resources’, ‘Finance’, ‘Payroll’ and ‘Direct Deposit’. Once the rules are in place the attacker then accessed the online payroll system and redirected the direct deposit for the victim to an account controlled by the criminal and then waited for the next pay period.

Here’s an example from an organization that had a near miss:

  • Phishing email sent to User X
    • User X clicks link
    • User X enters login info
    • Cyber Criminal has now captured login information for User X
  • A week later HR receives e-mail from User X asking what they need to do to change direct deposit
    • HR responds with forms
    • Cyber Criminal replies with filled out forms and attached a scanned voided check to another bank (as required by their HR department)
  • HR notices signature on the form doesn’t match User X signature on another document and contacts IS
    • IS shuts down account
  • Investigation reveals following
    • Attackers had been in for several weeks monitoring and studying HR/Finance processes/contacts.
      • Keywords found added to mailboxes for auto delete
        • HR
        • Human Resources
        • Phishing
        • Fraud
        • Direct Deposit
        • Bank
        • Etc.

To protect your account and credentials we have strict rules set on our mail filter to prevent phishing attempts from getting through. Unfortunately from time to time one slips through. At this point you are the last line of defense. Please take some time to familiarize yourself with our recommendations on how to identify potentially malicious e-mail. This will help protect both the Hospital and your personal information from falling into the hands of cyber criminals.

Please contact us if you have any questions or concerns regarding this article.