FBI: Attackers are Intercepting Direct Deposits

My mother is now retired, but she worked in HR and payroll for decades, sometimes for banks. Based on her stories, I have an understanding of how handing out or snail-mailing physical checks can be inconvenient from both a payer’s and a payee’s perspective. Many workplaces even used to have to deploy someone to walk around the office or an industrial facility on payday to hand a check to each employee.

Mailing checks adds the potential of the post office making a mistake, and of having to use more secure envelopes that adequately conceal the content. Keeping everything within the digital banking system reduces paper waste and makes everything more efficient, and I really like how most employees get paid via direct deposit these days. I work for a handful of different companies which pay me by sending funds directly to my bank account.

But of course, when something is digitized there’s also the possibility of cyberattack. The FBI recently released a warning of one particular attack that they’ve observed which has intercepted some people’s direct deposits.

If you smell phishing, you’re right! From the FBI Internet Crime Complaint Center:

“Cybercriminals target employees through phishing emails designed to capture an employee’s login credentials. Once the cybercriminal has obtained an employee’s credentials, the credentials are used to access the employee’s payroll account in order to change their bank account information. Rules are added by the cybercriminal to the employee’s account preventing the employee from receiving alerts regarding direct deposit changes. Direct deposits are then changed and redirected to an account controlled by the cybercriminal, which is often a prepaid card.”

The FBI has seen a significant increase in payroll scams in recent years. They saw 17 different scams in the entirety of 2017, but a whopping 47 scams from the beginning of 2018 to July.

The FBI has shared some tips to help prevent this particular attack from happening to you. I’d like to expand on some of them.

Educate Your Employees

Worker education is the number one most effective thing workplaces can do to improve their cybersecurity. Such a large percentage of attacks involve social engineering at one point or another. It’s good to have all kinds of security measures and mechanisms in your office and in your datacenters, but employees must be reminded of how to use them properly.

But teaching employees and contractors about how to spot potential phishing or malware infections isn’t something that should just be done once. Educational sessions should be done at least a couple of times per year. It’s human nature to benefit from reminders.

For example:

“Instruct employees to hover their cursor over hyperlinks included in emails they receive to view the actual URL. Ensure the URL is actually related to or associated with the company it purports to be from.”

This will prevent a lot of visits to phishing websites. But a legitimate looking URL or email address in an email or anywhere else is no guarantee of authenticity. Punycode attacks and other forms of IDN homograph spoofing exploit alternative ways for computers to display similar-looking characters, meaning that a legitimate-looking URL could lead to a completely different domain.

So I could get an email from support@google.com, but it’s not coming from Google’s real domain name. It could come from a cyber attacker’s domain that exploits different ways to render characters. If people need to interact with a website to enter their credentials, I strongly recommend typing the domain name by hand directly in the web browser rather than clicking on an email link.

No copy and pasting either - that would defeat the purpose.

Why Security Basics Aren’t Always Obvious

“Instruct employees to refrain from supplying login credentials or personally identifying information in response to any email.”

To those of us who work in cybersecurity, this would seem obvious. But it’s not obvious to a lot of otherwise very intelligent people with different expertise. To a professional seamstress working in a Bridal parlor, for example, it would seem obvious to keep the seam stitching on the inside of a garment, but that might not occur to me as I take up a needle for the first time to fix a rip in my favorite jacket! That’s why no one ever asks me to hem their jeans. Likewise, an experienced plumber might not know to avoid emailing credentials such as passwords, at any time ever – not even to their trusted friends or family members.

“Direct employees to forward suspicious requests for personal information to the information technology or human resources department.”

Yes, and let’s hope that the company has good cybersecurity policies and incident response planning.

“Ensure that log-in credentials used for payroll purposes differ from those used for other purposes, such as employee surveys.”

That’s another good idea. In fact, all of us should use a different password for each of the dozens of online services that we use. That way, if one set of credentials is exposed in a data breach, attackers can’t use that password to attack the same user’s account for a different service.

This was a nightmare before password managers became widely available. Now that they’re common, please use a reputable password manager to generate complex passwords for all your different accounts.

“Monitor employee logins that occur outside normal business hours.”

Yes. There are a lot of SIEM correlation rules based on stuff like this. This sort of activity is usually anomalous, and the cyber attackers could be from anywhere in the world.  

Extra Sensitive Information Needs Extra Security

“Apply heightened scrutiny to bank information initiated by employees seeking to update or change direct deposit credentials.”

A lot of the time these requests are legitimate, but what the FBI has seen also indicates that this could be an indication of attack. Extra caution is absolutely necessary.

“Restrict access to the Internet on systems handling sensitive information or implement two-factor authentication for access to sensitive systems and information.”

And remember to implement the principle of least privilege. No user account should have more access than is necessary in order for them to do their jobs.

“Only allow required processes to run on systems handling sensitive information.”

And the same idea that applies to human beings also applies to software.

Phishing attacks like these have existed since the dawn of online banking, and I don’t think they’re going to get any less frequent. We just have to try our very best to stay at least one step ahead of the cyber attackers.