A New Twist To An Old Scam

In the past, scammers targeted departments responsible for issuing payroll, often spoofing the emails of authority figures to obtain detailed records.

A recent LEXOCOLOGY post warns us that scammers are now zeroing in on the employees themselves that could cost workers plenty while posing a serious cyber-threat to organizations of all sizes.

Here’s how this new twist to an old scam works:

A hacker sends a very convincing phishing email to an employee from what appears to be a company email account requesting him or her to take an action such as clicking a link, accessing a website, etc.

Once the employee complies, they are asked for company login information to confirm their identity.

A new twist: If the employee questions the action via return email, they receive a quick reply, from the scammers, telling the employee that their compliance is required.

Once the target complies, criminals use the stolen credentials to access payroll accounts—rerouting the employee’s direct deposits to accounts under their control. In some cases depending on the access level of the target, hackers can gain entry to the entire company payroll system (and sometimes beyond).

At a minimum, management should take the following Immediate action:

  • Alert employees. Make sure they know to never give their login credentials to anyone via email.
  • Enforce the use of strong passwords; ensure they are not used for more than one application.
  • Use two-factor authentication (2FA) wherever practicable.
  • Never verify suspicious requests via return email or from a transferred number by the caller. Instead the employee should directly dial the responsible manager or department using the official, published telephone number to confirm instructions.
  • Promptly report suspicious emails, phone calls, etc. immediately to management.

This is a very busy time for accounting and payroll departments. As we often have stated in previous posts, Social Engineers are very dangerous. They study human behavior and are trained to “push the right buttons at the right time” to get people to do things they would not normally do.

No matter how much money your company spends on IT security, the weakest link is and always will be—people. Employees need to be trained on how to safeguard information. Trained employees plus secure IT systems are the best defense against cyber-intrusion. Don’t forget that redundant backup systems are also needed for quick recovery in the event that systems become compromised.

 

XSolutions is an Elite Partner of Datto, the world leader in Hybrid-Cloud Business Continuity solutions whose systems protect 300+ Petabytes of data with over 800 employees and 9 offices around the globe. Call (845) 362-9675 and let us introduce you to the ultimate defense against data loss—whatever the cause.