Some of the most popular business email compromise scams (BEC) target accounting and finance or human resources.
The scam usually works something like this. Someone in the target department – often not too high up in the food chain – gets a email pretending to be from an executive like the CEO or CFO.
The email urgently requests something like all of the W2s from last year or a wire transfer for a secret project.
The mid-level person, wanting to please the executive and being told that there is urgency, quickly processes the request without the normal thought process.
Over the past couple of years, this has led to billions of dollars of losses, but companies have been doing extensive employee training so this attack is not working as well as used to.
So now a new attack method has been added to the mix.
Steal the credentials of employees, log on to the HR platform and change the direct deposit information. The employee is completely unaware of this until they don’t get paid. The attacker has already emptied the account by the time that the employee talks to HR.
Now the company has a problem:
- Do they believe the employee that he or she didn’t change the direct deposit instructions.
- The employer did nothing wrong so do they just eat the loss and pay the employee twice.
I suspect that most employers will make the employee whole and the law could be on the employee’s side, depending on the state.
If that vector doesn’t work, target the HR employee. Using that account the attacker could change several paychecks at once and get a bigger payday.
There are a number of things that an employer can do to protect themselves and their employees.
First of all, if you are do not have two factor authentication in place, do that now. If you are using an outsourced Payroll/HR system and that vendor doesn’t support two factor authentication, “encourage” them to do that by including a contract clause to make them financially liable for any losses caused by their lack of two factor authentication.
Geofencing is the technology that restricts access to your HR system to a limited geographic area. For example, if your company only operates in the continental U.S., block access from any I.P. address outside the U.S. While this is not perfect, it does make it harder for the hackers.
Finally, generate a report just before the payroll run (assuming the hackers will try to make changes at the last minute so that it can’t be undone in time) of all direct deposit changes during that pay period. If the number of changes or the location of changes or anything else seems out of whack, sound the hacker alarm.
And of course, educate people.
None of these changes should be particularly expensive or hard to do and could save you significant pain.
Source: Helpnet Security