CyberheistNews Vol 8 #5 Scam of the Week: Wave of Payroll Direct Deposit Phishing Attacks

CyberheistNews Vol 8 #06
Scam of the Week: Wave of Payroll Direct Deposit Phishing Attacks

Lexology had an excellent post from Ogletree Deakins by Rebecca J. Bennett and Danielle Vanderzanden, related to a crafty new phishing scam they warned about and that you should be aware of, because it has bad guys in real-time behind it, reinforcing the scam with quick answers via email.

These scams are affecting employers nationwide without regard to their payroll portals or payroll service providers:

"Employers beware: Companies are experiencing a wave of phishing scams that target employee paychecks. Here is the scenario:
  • An employee receives from a company email account e-mail that mimics a familiar and trusted company service or resource, such as an e-signature request or a request to complete a survey.
  • The e-mail asks the employee to click a link, access a website, or answer a few questions.
  • Then it directs the employee to “confirm” his or her identity by providing his or her complete log-in credentials. Skeptical employees who question the request via reply e-mail receive a prompt response purporting to verify that the employee should complete the steps contained in the link.
  • The threat actors then use the employee’s log-in credentials to access payroll portals, reroute direct deposits to other accounts, and wreak other havoc upon the employer’s network.
In some versions of the scam, hackers access employee e-mails to request a password change from the employer’s payroll service and then use the new log-in credentials to change direct deposit instructions."

Bennett and Vanderzanden have the following recommendations:

"The threat actors are doing substantial due diligence on the social engineering side of things, and these e-mails look real. In many circumstances, they are effectively spoofing the sender’s account, and employers are learning of the scam when employees begin reporting that they did not receive their direct deposits. By then, the damage has been done.

In addition to diverting funds, the scam creates a data breach for the employer and triggers notification obligations. Failure to take prompt action may result in penalties and liability to unsuspecting employers.

Employers may want to immediately take the following precautions to avoid security breaches as a result of these phishing scams:
  • Alert your workforce to this scam.
  • Direct employees to forward any suspicious requests to the information technology or human resources departments, rather than replying to the e-mail.
  • Instruct employees to refrain from supplying log-in credentials or personally identifying information in response to any e-mail.
  • Ensure that log-in credentials used for payroll purposes differ from those used for other purposes, such as employee surveys.
  • Enforce (or, where necessary, establish) multifactor authentication requirements.
  • Review and update the physical, technical and personnel-related measures taken to protect your sensitive information and data."
This is a link to the original article:

I suggest you send the following to your employees, friends, and family. You're welcome to copy, paste, and/or edit:

There is a new Direct Deposit phishing attack you need to watch out for. It's a sophisticated scam that starts with an official-looking email that asks you to click a link and access a website. Next, they ask you to confirm the data with your real username and password. Last, they use your info to access payroll portals, and reroute your direct deposit amounts to bank accounts owned by the bad guys. The lesson here is to never give anyone your credentials in response to an email... Think Before You Click!
Microsoft Confirms: Sending Simulated Phishing Attacks to Your Employees Is a Must

Well, Microsoft just legitimized the whole new-school security awareness training market!

I'm pleased to note that Microsoft has finally acknowledged that organizations need to send simulated phishing attacks to their employees with the announcement of a new feature called Attack Simulator. Part of its online Office 365 offering, Attack Simulater allows an email admin to send phishing attacks to determine how employees respond.

We consider the addition of Attack Simulator to Microsoft’s online Office 365 offering a win for our industry. In adding this feature, Microsoft has done what it always does: observe the market for innovative companies that create new markets, and then include a ‘checkbox’ feature with limited functionality so that their marketing can say: ‘Yes, we do that’.”

As a leader in Gartner’s Magic Quadrant for Security Awareness Computer-based Training, our mission to enable customers’ employees to make smarter security decisions has now been confirmed as a ‘must'.

KnowBe4 has provided a free Phishing Security Test (PST) for 6 years now, which does a very similar thing to the new Microsoft offering. Attack Simulator shows the phish-prone percentage of an organization’s employees, so that a real program can be put in place to manage the ongoing urgent problem of social engineering attacks.

Sending users an occasional phishing test provides just a baseline understanding and is only the start of a functional security awareness training program. More:
Don’t Miss the February Live Demo: Simulated Phishing and Awareness Training

Old-school security awareness training doesn’t hack it anymore. More than ever, your users are the weak link in your network security.

Join us on Wednesday, February 7, 2018, at 2:00 PM (EST) for a 30-minute live product demonstration of KnowBe4’s Security Awareness Training and Simulated Phishing Platform to see the latest features and how easy it is to train and phish your users:
  • NEW Smart Groups put your phishing, training and reporting on autopilot. Best of all, it’s a powerful ad-hoc, real-time query tool to get detailed reporting.
  • NEW see our latest feature: Security Roles with granular permissions
  • Customized Automated Security Awareness Program creates a fully mature training program in just a few minutes!
  • Access to the world's largest library of awareness training content through our innovative Module Store.
  • Send Simulated Phishing tests to your users during specified business hours with "Reply-to Tracking" that shows you which users fall for spoofed emails and what they answer to the bad guys.
  • Reporting to watch your Phish-prone percentage drop, with great ROI.
Find out how 15,000+ organizations have mobilized their end-users as their last line of defense. Register Now:
Krebs on Security: "File Your Taxes Before Scammers Do It for You"

The sooner you file your taxes, the better for you. In particular, once you've filed, it's too late for crooks to submit a fraudulent return in your name. So it's best not to delay.

One of the things that can hold up your filing is not having all your tax documents. In your haste to file early, however, don't let yourself become so rushed that you share personally identifiable information with organizations that may or may not have sound data security measures in place, or worse yet, share your information with outright fraudsters who might pose as a legitimate source of, say, IRS Forms 1099.

This is also a particularly good time to reach out to whatever person in your organization who handles employee communications and tax documents. Help them become aware of the risks of social engineering for tax fraud, and let them help keep your employees safe. Security blogger Brian Krebs has a good account of some of the security pitfalls of tax season:
More Tax Season Advice: Watch for Bogus Google Docs

This is also a time of year when people share documents online that they use in tax preparation. Naturally criminals are aware of this and ready to take full advantage of the unwary through social engineering. One scam that's up and running involves an email inviting the victims to go to Google Docs and download a document that will give them "Federal Tax Refund Information."

The email isn't particularly plausible, on the face of it, and employees alert to the hazards of email should see this as trouble from a mile away. Here's some of the text that's being observed in the wild: "Good afternoon, I have a very important information for you concerning the Federal Tax Refund which I know that it will help you. Kindly check the attached file to view the details."

If you're not put off by the weird diction, and check that attached file, you'll find that it's a PDF representing itself as a notice from Google Drive. It tells you a document is waiting for you, and that you should "Click here to view the shared document."

A link in the file directs you to a website that impersonates Google Docs and that asks you to select your email provider, and then provide your email address and password. What follows from this credential harvest you can easily imagine.

More importantly, this is a heads-up of things to come. Not all the scams will be this crude. Now is the time to talk with high-risk employees like HR and Finance. Help them avoid the bad guys's social engineering tricks in the rush to get important documents and information out to your employees.

The SANS Institute's Internet Storm Center has a quick write-up of this scam:
Live Webinar - Strains of CEO Fraud: Urgent Request for W-2s

Soon the news will be packed with W-2 phishing and CEO fraud, also known as "Business Email Compromise" attacks. The cost of these attacks against organizations totaled over 5.3 billion dollars.

Each year the U.S. Internal Revenue Service warns about these scams where internet criminals successfully combine W-2 and CEO fraud schemes, targeting a much wider range of organizations than ever before.

What's next and how can you protect your organization?

Join Erich Kron CISSP, Security Awareness Advocate at KnowBe4, for our webinar “Strains Of CEO Fraud: Urgent Request for W-2s”. We will look at scary features of the new blended and current threats of W-2 phishing and CEO fraud, give actionable info that you need to prevent infections, and what to do when you are hit.

Key topics covered in this webinar:
  • Real world examples of W-2 and CEO fraud attacks
  • Latest attack vectors...and who's at risk
  • Proven methods to protect your organization with a “human firewall”
Date / Time: Wednesday, February 14, 2018, at 2:00 PM EST Register Now:

Let's stay safe out there.

Warm Regards,
Stu Sjouwerman
Founder and CEO
KnowBe4, Inc

Quotes of the Week
"Blind belief in authority is the greatest enemy of truth." - Albert Einstein

"The most courageous act is still to think for yourself." - Coco Chanel

Thanks for reading CyberheistNews
Security News
How to Prepare for the Future of Digital Extortion

Digital extortion has evolved into the most successful criminal business model in the current threat landscape, and Trend Micro researchers predict that it will continue to grow rampant because it’s cheap, easy to commit, and many times the victims pay.

Attackers can go after a wide variety of targets

The line between blackmail and extortion is blurred in the digital realm. “Many digital crimes we normally think of as blackmail are, in fact, extortion — like ransomware,” the researchers pointed out.

“Likewise, some crimes categorized as extortion are actually not. Sextortion comes to mind, wherein an individual is forced to perform acts of a sexual nature under the threat of having compromising material regarding them exposed online.”

In short, any attempt by a criminal to coerce a victim into doing something – paying money or performing a favor — falls within the realm of digital extortion. But the big difference between of offline and online extortion is the wide variety of assets that can be targeted in the digital domain.

Attackers can:
  • Encrypt company secrets
  • Steal and threaten to divulge customer or other compromised data
  • Lock devices and ask for ransom in exchange for giving back access to device
  • Ask for money in exchange for stopping attacking sites
  • Ask for money in exchange for fixing a hacked process or to not disrupt processes or sabotage production, and so on.
  • End users, on the other hand, are usually targeted with ransomware or become victims of sextortion.
Continued at:
Unhappy Returns: Malicious E-Greeting Cards

Phishing follows the calendar. Here's a good example: malicious e-greeting cards that arrive with a malware payload alongside their good wishes. This happened more often than one would like during the Christmas season. Now is a good time to remind people to be cautious with electronic greetings they may receive. With which Christmas and New Year's Day into the rearview mirror, the next big wave of greetings will be upon us in less than two weeks.

Valentine's Day is just around the corner. Consider sending physical flowers instead of emailing an e-greeting. Don't expose actual or prospective sweethearts and significant others to risk of malware masquerading as digital hearts and cupids. See Security Boulevard for an account of what happened over the winter holidays, and draw the lesson:
SANS Warns of New Adaptive Phishing Kits

Phishing kits have circulated in the criminal underground for several years. As cybercrime becomes increasingly commoditized, these kits see more use, and their purveyors also work to improve their plausibility. Here's one example of a phishing kit in use. It begins with an email that says, "Your email has used up the storage limit of 99.9 gigabytes as defined by your Administrator. You will be blocked from sending and receiving messages if not re-validated within 48hrs. Kindly click on your email below for quick re-validation and additional storage will be updated automatically."

SANS said: "If your server is compromised today, they are chances that it will be used to mine cryptocurrency, to deliver malware payloads or to host a phishing kit. Phishing remains a common attack scenario to collect valid credentials and impersonate the user account or, in larger attacks, it is one of the first steps to compromise the final target.

Phishing kits are usually mimicking well-known big Internet players (eBay, Paypal, Amazon, Google, Apple, Microsoft…[add your preferred one here]). I found an interesting phishing kit which adapts itself to the victim. Well, more precisely, it adapts to the victim email address."

Realistic training can help. See the SANS Institute's Internet Storm Center for an account of how this adaptive phishing kit is working in the wild:
OCR: Take Action to Avoid Becoming a Cyber Extortion Victim

Federal regulators are warning healthcare entities and business associates to take action to prevent becoming the next victim of cyber extortion, such as a ransomware attack.

"Incidents of cyber extortion have risen steadily over the past couple of years and, by many estimates, will continue to be a major source of disruption for many organizations," says the Department of Health and Human Services' Office for Civil Rights in a Tuesday cyber alert to HIPAA covered entities and business associates.

Among the steps that OCR says organizations should consider taking to reduce the chances of being a victim of cyber extortion are:
  • Implementing a robust risk analysis and risk management program;
  • Implementing inventory and vulnerability identification processes to ensure accuracy and thoroughness of the risk analysis;
  • Training employees to better identify suspicious emails and other messaging technologies that could introduce malicious software into the organization;
  • Deploying proactive anti-malware solutions to identify and prevent malicious software intrusions;
  • Patching systems to fix known vulnerabilities that could be exploited by attackers or malicious software;
  • Hardening internal network defenses and limiting internal network access to deny or slow the lateral movement of an attacker and/or propagation of malware;
  • Implementing and testing robust contingency and disaster recovery plans to ensure the organization is capable and ready to recover from a cyber-attack;
  • Encrypting and backing up sensitive data;
  • Implementing robust audit logs and reviewing such logs regularly for suspicious activity;
  • Remaining vigilant for new and emerging cyber threats and vulnerabilities by participating in cyber information sharing organization and receiving alerts from by organizations such as the Department of Homeland Security's U.S. Computer Emergency and Readiness Team.
OCR notes that because cyberattackers are creating new versions of malicious software and searching for new vulnerabilities to exploit, organizations must continue to be vigilant in their efforts to combat cyber extortion. Full article at
BEC Scams Surge, Cybercriminals Target Nearly All Organizations

Business Email Compromise (BEC), also known as CEO fraud is a particularly effective attack vector because its lack of payload makes it nearly impossible for conventional email security solutions to detect and prevent,” said Markus Jakobsson, chief scientist, Agari. “At its core, business email compromise is a social engineering attack that leverages familiarity, authority and trust, which can result in billions of dollars of losses to businesses.”
UK Drivers Are Being Warned Not to Click the Link on a Fake DVLA Text Message.

The car tax scam was reported on Twitter with several users posting images of the dodgy text. The threatening message reads: "FINAL REQUEST: DVLA Swansea have been trying to contact you, Click below for more information."

The link then uses the "" domain in the web address - but eagle-eyed drivers will also notice the ".pw" extension. This is the country code for Palau which gives away the fact the text is a "phishing" scam - and not from the DVLA's Swansea HQ.

Phishing scams use mock official-looking website that ask you to enter data like bank details and addresses before stealing it. We will shortly have a template for our customers in the UK, to inoculate their users against this scam. More:
What Our Customers Say About Us

We send an email 30 days after roll-out and ask them if they are happy campers: Here is one answer: "Yes – very happy! The KnowBe4 platform has been a godsend and really helped us overcome a regulatory issue with security awareness training that came up in the last 2 months. I am getting compliments from the board of directors and our general counsel on the training content and the reporting platform. Thank you for your support and keep up the great work on your system!" - Best, Rick
Utilities Ill-Equipped to Face Increasingly Disparate Cybersecurity Threat

This is a sobering article. Scary stuff. Most of the Millennials were too young to recall the NorthEast blackout and may not be able to relate: See:

The article calls out the necessity to a multi-tiered security approach. The majority (85%) of power and utilities respondents consider careless members of staff as the most likely point of weakness to attack.
  • 100% of survey respondents say their cybersecurity function is not fit for purpose
  • Utilities struggle to monitor their digital ecosystem more than all other sectors
  • 85% of respondents say they don’t have a robust incident response program
All utilities organizations surveyed in the latest EY Power and Utilities Global Information Security Survey 2017-18 (GISS): Why wait for a cyber catastrophe to prepare for a cyber attack?, say that their cybersecurity function does not meet their needs. The survey also finds that 58% of sector respondents anticipate difficulties in monitoring the perimeter of their digital ecosystem, compared with 36% across all sectors.

With the sector moving through radical transformation, it is becoming more challenging for utilities to map the digital environment in which they operate. Full article:
How to Make Email Security Central to Your Cybersecurity Strategy in 2018

2017 was another watershed year for cybersecurity. The breaches at Equifax and Yahoo! stand out for their size, but the more troubling development is how much more targeted attacks have become.

The HBO attack showed us that hackers are willing to focus on valuable intellectual property or private conversations and hold them hostage for a hefty ransom. The continued attention on the Democratic National Committee hack also revealed that hackers have political agendas that can transcend financial motives.

Perhaps one of the most pernicious attacks of 2017 fell off the radar, though. Hackers targeted offshore law firms and stole information about potentially shady financial practices of the super-rich. When a target of that size and consequence falls prey to hackers, and all under the guise of “doing social good,” it’s clear just how expansive cyberthreats and the motives behind them have become.

The Most Important Lesson of 2017

The frequency of attacks is on the rise, as are attacks’ impacts. The average data breach now costs companies more than $3.6 million, which doesn’t account for bolstering security protocols or managing reputation fallout. The larger and more long-term cost that’s measured in consumer confidence is perhaps most damaging — one that can lead to millions in lost revenue. Yahoo! is a great example of that.

With these staggering statistics, cybersecurity is likely on the mind of most enterprises, and the email inbox should draw important attention as the most vulnerable point of attack.

Hackers regularly target inboxes because they’re an easy point of access and offer a treasure trove of valuable information. While users tend to view their inboxes as secure, up to 65 percent of all received emails are spam. Some of these potentially malicious emails are easy for users to spot, but many others such as business email compromise scams perfectly mimic messages a user might get from his bank or boss, making them prime entry points for lucrative and dangerous cyberattacks.

Components of an Email Security Strategy

Companies ready to get serious about cybersecurity and turn their focus to securing the inbox need to consider these tools and best practices for a comprehensive and easy-to-use email security strategy.

Filtering Aided by Machine Learning: Comparing incoming emails against a database of known threats and analyzing the content for malicious phrases and patterns helps to filter out bad traffic. With the aid of machine learning and live threat analysts, these filters can better detect and deflect newer and more advanced threats.

Email Encryption: The ubiquity of email serves has a benefit to businesses and hackers alike. With easy communication, sensitive data and seemingly innocuous messages are easily transmitted for everyday business operations. Without email encryption, sensitive data from protected health information to financial details to intellectual property can be intercepted and sold or ransomed. Messages without sensitive data still hold value, as hackers learn details that could be used for social engineering and scams such as business email compromise. By implementing an easy-to-use email encryption solution, you add a critical layer of protection in your security strategy.

User Education and Best Practices: These technical tools are invaluable, but implementing these tools without making any changes on the ground floor ignores an organization’s employees. Train users how to identify suspicious emails and, equally important, encourage them to report any suspicious messages to your IT teams.

While often associated as one of your weakest links, employees can become one of the most effective lines of defense to combat cyberthreats with consistent training and reinforcement.

No one can predict what the cyber landscape of 2018 holds. But by incorporating security tools and educating users, companies can ensure that their sensitive information — from intellectual property to login credentials to private conversations — is secure. In this way, they protect both their finances and reputation and avoid making themselves even more vulnerable in the New Year. Source:
Free eBook Cyberheist: The BIGGEST Financial Threat Facing American Businesses

Cybercrime has gone pro over the last 5 years. Attacks have become much more sophisticated and intense. The bad guys are now going after your employees. They bypass your firewall/antivirus security software and social engineer your employees to click on a malicious link or open an infected attachment.

From that point forward they hack into your network and put keyloggers on accounting systems. You can guess the rest. A few days later the organization’s bank accounts are empty, or valuable corporate intellectual property is stolen. Another cyberheist victim. It’s happening right now, as you read this.

Cyberheist was fully updated and written for the IT team and owners / management of Small and Medium Enterprise. Want to read this bestseller? As a newsletter subscriber you can get this as a complimentary eBook!
Interesting News Items This Week

Watch out, cyber criminals are using fake FBI emails to infect your computer:

Meltdown-Spectre: Malware is already being tested by attackers:

Training, Awareness Aids Enterprises in Fight Against Phishing:

Eight ways you can prevent Phishing and Identity Theft by cyber criminals:

Most ecommerce sites fail to protect consumers from phishing attacks:

Millions of Fortune 500 email credentials found on the dark web:

1 in 10 Phishing E-mails Fool Users in Education:

Mind-Blowing Cost of Global Cybercrime Every 60 Minutes:

Spear Phishing Dips -- That's The Good News:

Australia will start to enforce its version of GDPR:

Half of Orgs Hit with Ransomware in 2017:

IOTA Cryptocurrency Users Lose $4 Million in Clever Phishing Attack:

Why Your Employees’ Compromised Credentials Endanger Your Organization:

Cryptomining – is it the new ransomware? [REPORT]:

Don’t Forget Cybersecurity in Your M&A Due Diligence:

Iran hackers reportedly tried to phish Israeli nuclear scientists:

10 Cybersecurity Threats Facing the Oil and Gas Industry:

Survey: Few Americans Are Taking Proper Password Security Precautions:

Prepared in cooperation with the CyberWire research team.
Cyberheist 'Fave' Links
This Week's Links We Like, Tips, Hints and Fun Stuff
    • Presented at the Singularity University's Innovation Partnership Program (IPP), this is a 37-minute entry level talk about bitcoin by Andreas Antonopoulos. Great for a Lunch & Learn!

FOLLOW US ON: Twitter | LinkedIn | Google | YouTube
Copyright © 2014-2017 KnowBe4, Inc. All rights reserved.

Subscribe To Our Blog

Weak Password Test Contest

Get the latest about social engineering

Subscribe to CyberheistNews