FBI Uncovers New Direct Deposit Hack

On September 18, the FBI released information about a new technique cybercriminals are using wherein they target employees through phishing emails designed to capture the employees’ login credentials. Once the cybercriminal has obtained an employee’s credentials, they’re reused to access the employee’s payroll account to change their bank account information. The cybercriminal adds rules to the employee’s account preventing the employee from receiving alerts regarding direct deposit changes. Direct deposits are then changed and redirected to an account controlled by the cybercriminal, which often is a prepaid card.

The FBI’s Internet Crime Complaint Center (IC3) said it received more than 300,000 complaints and losses of more than $1.4 billion due to this hack in 2016. There are nine things the FBI recommends:

  1. Alert and educate your workforce about this scheme, including preventive strategies and appropriate reactive measures should a breach occur.
  2. Instruct employees to hover their cursor over hyperlinks included in emails they receive to view the actual URL. Ensure the URL is actually related to or associated with the company it purports to be from prior to clicking.
  3. Instruct employees to refrain from supplying login credentials or personally identifying information in response to any email.
  4. Direct employees to forward suspicious requests for personal information to the IT or human resources department.
  5. Ensure login credentials used for payroll purposes differ from those used for other purposes, such as employee surveys.
  6. Apply heightened scrutiny to bank information initiated by employees seeking to update or change direct deposit credentials.
  7. Monitor employee logins that occur outside normal business hours.
  8. Restrict access to the internet on systems handling sensitive information or implement two-factor authentication for access to sensitive systems and information.
  9. Only allow required processes to run on systems handling sensitive information.



Print Friendly, PDF & Email
The following two tabs change content below.

Rex Johnson

Rex has more than 25 years of IT, business and leadership experience. His areas of expertise include cybersecurity, data privacy, IT governance, project and program management, enterprise risk management, security management and operations, internal and external audit, regulatory compliance and controls assurance. He has served as a trusted advisor for executive management and a liaison between IT, Internal Audit and external auditors. He has led teams to address security risks and develop long-term sustainable solutions.

Latest posts by Rex Johnson (see all)

Tagged on: , ,

Leave a Reply

Your email address will not be published. Required fields are marked *