Cyber Security: Payroll Phishing Threat Grows
Beazley’s 2018 Breach Briefing Reveals the Rapidly-Changing Cyber Risk Landscape
Cyber extortion, payroll diversion phishing attacks and fraudulent wire instruction are among the growing threats to business highlighted in the 2018 Breach Briefing, a report published today by specialist insurer Beazley.
The trends described in the report draw on information deriving from the 2,500 data breach incidents that Beazley, a leading insurer of cyber risks, helped clients manage over the past year. The report provides a detailed analysis of the types of cyber-attacks that affected Beazley’s US clients in 2017, with a spotlight on the retail, hospitality and healthcare sectors, and uses real-life examples to illustrate how successful attacks and scams work.
From cyber extortion to phishing scams, each of the cyber threats detailed in the Breach Briefing is accompanied by practical steps that organizations can take to protect themselves against these new and persistent threats. These include advice regarding:
• W-2 fraud
• Fraudulent wire instruction
• Ransomware
• Payroll diversion
• Attacks on credit cards
•Office for Civil Rights compliance (healthcare sector)
Beazley has handled over 7,500 breach incidents since 2009. The frontline experience of the insurer’s in-house breach response team, Beazley Breach Response (BBR) Services affords a unique insight into the changing nature of cyber-risks, how organizations are impacted and the preventative measures that they can take.
Katherine Keefe, global head of BBR Services said: “Criminals are intent on stealing data or extorting cash and their methods are becoming more sophisticated by the day. Wherever weaknesses exist –in systems, processes or simple human fallibility – every organization regardless of sector and size is vulnerable. We hope our Briefing will help organizations understand the risks more fully and ensure that they are doing all they can to protect themselves.”
The cyber threat landscape is constantly changing. Malicious attacks like zero-day malware, ransomware, and cleverly targeted phishing attacks are on the rise, but businesses also cannot ignore the all too prevalent accidental disclosures and human error risks. Evolving forms of business interruption, cyber extortion, critical operational data loss, and electronic crime present cumulative risks that businesses must address.
Given the changes in the threat landscape, businesses must protect themselves on all fronts, and a focus on incident response is no longer enough. With Beazley’s 360° approach, companies have access to a comprehensive set of solutions created to protect their business from the dangerous world of cyber risks.
Working with our policyholders on over 2,600 data incidents in 2017, Beazley Breach Response (BBR) Services, Beazley’s in-house breach response team, has a unique vantage point to see evolving threats first-hand and to directly help with protective measures that organizations can take against these threats. Our 2018 Beazley Breach Briefing provides information on recent key cyber threat trends and useful, proactive steps that organizations can take to minimize these threats.
The Briefing also contains real life examples of each of the threats we describe. We provide these examples so that readers can appreciate and understand not only how these issues actually unfold, but also the services and resources that are required for organizations to diligently investigate and respond to these threats.
In 2017, BBR Services encountered a new variation on the phishing attack: bad actors phish for email credentials, change direct deposit information in employee self-service portals, and then redirect paychecks. If the criminals can also access W-2 information through the payroll processor user account, they may then file a fraudulent tax return for the employee or use the Social Security number (SSN) to open lines of credit.
BBR Services assisted with 54 of these incidents in 2017 across all industries. More than half of these incidents handled by the BBR Services team occurred in the higher education sector, likely due in part to the fact that college and university faculty and staff emails are often publicly listed on school websites. The BBR Services team also handled these incidents in healthcare, manufacturing, professional services, and retail.
2017 payroll diversion phishing attacks by industry
Some 84% of payroll diversion phishing attacks reported to Beazley impacted middle market organizations versus small businesses, suggesting larger organizations are more of a target for this type of an attack.
• A typical payroll phishing attack happens as follows:
• The attacker targets the organization’s employees with an email phishing campaign.
• One or more employees fall for the phishing campaign and supply their email credentials.
• The attacker determines which vendor the organization uses for payroll/HR.
• With the user credentials, the attacker creates a new inbox forwarding rule for the compromised account. The forwarding rule sends any email coming from the payroll provider directly to the trash.
• Using the compromised email address, the attacker requests that the payroll provider reset the password for that account. The payroll provider sends a password reset email with a temporary password. Because of the forwarding rule, the email goes directly to the trash and the user never sees it.
• The attacker uses the newly supplied password to access the employee self-service portal. If the organization uses single sign-on for access to the payroll provider, the attacker doesn’t even have to request a password reset.
• The attacker changes the direct deposit information for the employee. The next time payroll is processed, the employee’s paycheck goes into an account the attacker controls.
Although BBR Services has seen these attacks primarily compromise direct deposit instructions, the attack can be used on other types of accounts, such as health savings accounts (HSA), flexible spending accounts (FSA), or 401(k)s or 529 plans.
These attacks typically require an external forensic analysis to determine whether the attacker had access to personally identifiable information (PII) or protected health information (PHI) within the employee’s email inbox. Employees in some roles, such as a student loan officer in education, loan officer in financial services, or administrator or practitioner in healthcare, may have PII or PHI in emails. If the organization concludes that PHI or PII has been exposed, determining the population of affected individuals can be a time-consuming process that requires extensive mining of emails in order to determine the specific individuals impacted and the exact nature of the exposed PII or PHI.
Phishing attack diverts university’s payroll
An attacker targeted a university with a phishing email and gained credentials to 15 faculty email accounts. The university learned of the attack when a few faculty members complained about not receiving paychecks. An internal investigation revealed that the attacker gained access to the user email accounts and used the email credentials to log onto the university’s employee self-service portal. BBR Services provided an action plan, including connecting the university with expert legal and forensics services. Notification letters along with an offer for credit monitoring were prepared and sent to the affected persons. Given the states of residency of the affected individuals, no regulators needed to be notified. The forensic firm was also able to rule out the possibility that the attacker viewed the W-2 portion of the portal so the 15 faculty members’ W-2s were not accessed. The total cost of this incident, not including the cost of the stolen payroll, was approximately $100,000.
Protecting your organization from phishing attacks
• Turn on two-factor authentication for external access to all applications, or at the very least, to particularly sensitive ones such as email, payroll or benefits providers, remote desktop protocol (RDP), and virtual private networks (VPNs).
• Audit recent direct deposit changes prior to issuing payroll and confirm the changes over the phone or in person with your employees.
• Educate and train employees about phishing. Consider whether simulated anti-phishing campaigns make sense for your organization’s risk profile.
• Periodically review email distribution lists, especially where reports containing PII or PHI are sent to a list.
• Use role-based access controls to manage access to sensitive information and ensure that access is terminated or updated appropriately when an employee changes roles or leaves the organization.
• Enforce strong password policies. Educate employees about the risks of recycling passwords for different applications.
• If your email system permits, set up alerts whenever new forwarding rules are created so that messages cannot be secretly diverted.