Security analyst issues payroll fraud warning
Hijacked employee email addresses can be used by criminals to impersonate workers and trick companies into paying them their salaries instead, a security analyst warns.
Avanan flagged the growing practice among digital crooks in its latest blog, in which it described how fraudsters use stolen email addresses to contact payroll departments and ask them to reroute salary payments to different bank accounts.
“It’s not crazy for someone to email HR or finance and ask for their paychecks to be deposited somewhere else,” said Avanan spokesperson Jeremy Fuchs. “People change banks all the time, sometimes people want the money split into multiple accounts. Whatever it is, it’s not unusual to receive this sort of request.”
That’s why firms need to be more wary than ever, because if a cybercriminal has obtained a legitimate email address via a previous phishing attack, they could easily slip through the net and end up costing companies a fair chunk of money.
Nor is phishing, a form of confidence trick that usually takes place via email and dupes the victim into giving up something of value to an online fraudster, the only way to come by a company email address.
“Although phishing messages are the most common way for hackers to gain access to an account, they are far from the only method,” said Fuchs. “Large, third-party data leaks like Yahoo and LinkedIn have created a market for hackers to exchange stolen passwords. A breach might include passwords for one service that employees have re-used on corporate accounts.”
Not only that he adds but even breaches excluding raw credentials might expose other personally identifying data such as physical address or name that can then be used to hijack an email account by requesting a password change, he added.
“Once the hacker has access to someone’s email, then they can start sending out attacks,” said Fuchs. “With this account already compromised, the attacker goes to work. In this particular case, the hacker disguises as an employee to send an email to HR, asking for the direct deposit of their paycheck to be sent to a different bank account.”
To mitigate such attacks, Fuchs recommends that companies monitor user analytics and failed login attempts as these are usually telltale signs that someone is up to no good.
“Users typically have certain patterns of behavior, logging in at certain times from specific places,” he said. “Access attempts that break these patterns of behavior can be warning signs of a compromised account.”
In addition, Avanan also urges cybersecurity professionals to adopt AI to scale up their ability to track indications of account compromise, as well as automated blocking of accounts that have been successfully targeted by bad actors.
“Automation is important because you often don't have time to wait for someone to review every event,” said Fuchs. “It is vital to revoke the hacker's access to the account immediately before any damage is done. Otherwise, your organization could be in a world of trouble.”