In late 2018, the FBI’s Internet Crime Complaint Center (IC3) issued a public service announcement (PSA) alerting the general public to its concerns about cybercriminals targeting online payroll accounts. It noted that the industries most affected include education, healthcare and commercial airway transportation. IC3 explained that cybercriminals target employees through phishing emails designed to capture an employee’s login credentials. After a cybercriminal has obtained the credentials, those credentials are then used to access the employee’s payroll account in order to change their bank account information. It was noted that “rules” are added by the cybercriminal to the employee’s account preventing the employee from receiving alerts regarding direct deposit changes. Those direct deposits are then altered and redirected to an account controlled by the cybercriminal.
IC3 issued a number of recommendations in the public service alert to mitigate the threat of payroll diversion. Those include the following:
- Alert and educate the workforce about this scheme, including preventive strategies and measures to be taken in the event of a breach.
- Instruct employees to hover their cursor over hyperlinks included in the emails they receive to view the actual URL to ensure that the URL is actually related to or associated with the proper company.
- Instruct employees to avoid supplying login credentials or personally identifying information in response to emails.
- Direct employees to forward suspicious requests for personal information to the employer’s information technology or human resources department.
- Ensure that login credentials used for payroll purposes differ from those used for other purposes.
- Apply heightened scrutiny to bank information initiated by employees seeking to update or change credentials for direct deposits.
- Monitor employee logins that do not occur during normal business hours.
- Restrict access to the Internet on systems handling sensitive information or implement two-factor authentication for access to such sensitive systems and information.
- Only permit required processes to run on systems which handle sensitive information.
In the event suspicious or criminal activity is detected, employees/employers should contact the local FBI field office or file a complaint with IC3 at www.ic3.gov. The IC3 complaint center will provide a list of information needed for the purposes of filing a complaint.