Cybersecurity Alert: New Phishing Scam Targets University Payroll Systems
A sophisticated and highly targeted cyberattack is actively targeting faculty and staff at universities and colleges, with a singular, disruptive goal: stealing your paycheck. This financial fraud, known as a payroll diversion attack, uses social engineering and deceptive tactics to gain access to employee portals and reroute direct deposits to accounts controlled by cybercriminals.
These attacks represent a significant evolution in phishing campaigns, moving beyond simple data theft to direct financial fraud. Understanding how these threat actors operate is the first step in protecting yourself and your institution.
The Anatomy of a Payroll Diversion Attack
The attack unfolds in a series of calculated steps, designed to exploit trust and bypass standard security measures.
The Bait: Deceptive Phishing Emails
The attack begins with a carefully crafted phishing email. These messages are designed to look like legitimate internal communications, often appearing to come from the university’s IT department, human resources, or administration. They frequently use urgent subject lines related to salary updates, password expirations, or system maintenance to prompt immediate action.The Trap: Credential Harvesting
Clicking a link in the email leads the victim to a fraudulent login page that is a pixel-perfect replica of their university’s official sign-in portal. Unsuspecting employees enter their username and password, handing their credentials directly to the attackers.Bypassing a Key Defense: Defeating Multi-Factor Authentication (MFA)
Even with MFA enabled, these attackers have methods to bypass this critical security layer. A common technique is MFA fatigue, where the threat actor triggers repeated push notifications to the employee’s authentication app. Overwhelmed or confused, the employee may accidentally approve the login request, granting the attacker full access. Other methods, like SIM swapping, are also used to intercept one-time passcodes.The Heist: Rerouting Your Paycheck
Once inside the system, the attacker navigates to the payroll or HR portal. The ultimate goal is to change the direct deposit banking information, replacing the employee’s legitimate bank account details with a new account they control. The change is often subtle and goes unnoticed until the next payday, when the employee’s salary is diverted. By the time the theft is discovered, the funds are often long gone.
Why Are Universities a Prime Target?
Higher education institutions present an attractive target for several reasons:
- Large User Base: Universities employ thousands of faculty and staff, providing a large pool of potential targets.
- Decentralized Networks: The often-sprawling and decentralized nature of university IT systems can create security gaps.
- Culture of Collaboration: An environment that encourages open communication and information sharing can sometimes be exploited by social engineering tactics.
- Valuable Data: Beyond payroll, employee portals contain a wealth of sensitive personal information that can be stolen and sold.
How to Protect Yourself and Your Institution
Vigilance and proactive security measures are essential to combat these threats. Both employees and institutions have a role to play in preventing payroll fraud.
Actionable Security Tips for Employees:
- Scrutinize All Emails: Be highly suspicious of any unexpected email regarding your password, salary, or account information. Look for grammatical errors, generic greetings, or a sense of false urgency.
- Never Click Directly on Links: Instead of clicking a link in an email, manually navigate to your university’s official portal by typing the address into your browser.
- Guard Your MFA Approvals: Never approve an MFA push notification that you did not initiate yourself. If you receive unexpected requests, it is a major red flag that your credentials may be compromised. Report this to your IT department immediately.
- Regularly Verify Your Payroll Information: Make it a habit to log into your employee portal and confirm that your direct deposit and personal information are correct, especially in the days leading up to your payday.
Recommendations for University Security Teams:
- Implement Phishing-Resistant MFA: Move towards more secure MFA methods, such as FIDO2 security keys or number matching, which are more resilient to fatigue attacks.
- Enhance Monitoring and Alerts: Set up automated alerts for suspicious activities, such as logins from unusual locations or rapid changes to direct deposit information.
- Conduct Continuous Security Training: Educate staff and faculty about the specific tactics of payroll diversion attacks. Regular training and phishing simulations can dramatically improve awareness and defense.
- Enforce Strict Access Controls: Use conditional access policies to block logins from anonymizing services or suspicious IP addresses, limiting the attacker’s ability to operate.
By staying informed and adopting a security-first mindset, the academic community can work together to shut down these fraudulent attacks and ensure that every employee’s hard-earned salary is secure.
Source: https://www.bleepingcomputer.com/news/security/hackers-target-university-hr-employees-in-payroll-pirate-attacks/
