Re: Fake Direct Deposit Forms

["Henderson, Daniel C." <dchenderson () CCIS EDU>]

We have had these types of attacks occur off and on for the past few years. Our payroll office had to alter their 
processes to ensure none of the fake DD attempts were successful. The one and only time one went through, the bank 
account that the attacker had set up was already closed by the time we contacted the bank in California. We found that 
most the time an account was compromised by a phishing email that harvested user credentials, and the attacker used our 
portal to login and use fill out the proper form for a new DD location.

We have increased our security awareness training to try and prevent account compromises, with multiple phishing 
exercises yearly and knowbe4 training once a year. We have seen some success, but we know it won't be 100%. We would 
like to start using MFA to help in this effort as well, and hope to move towards some kind of MFA in the next few years.


Caine Henderson
Director of Cyber Security, Web Development, and Investigation
Columbia College
573-875-4608



From: The EDUCAUSE Security Community Group Listserv <SECURITY () LISTSERV EDUCAUSE EDU> On Behalf Of Manjak, Martin
Sent: Tuesday, September 10, 2019 11:29 AM
To: SECURITY () LISTSERV EDUCAUSE EDU
Subject: Re: [SECURITY] Fake Direct Deposit Forms

CAUTION!: This email originated from outside of Columbia College.
Ron,

You're not. We had an incident last week where an account was compromised and used to send the DD change request to our 
HR department. The fake check and form also referenced an American Express National Bank account. In our case, the A/C# 
was 6220124014299.

It was flagged because our form requires state assigned employee IDs, not SSN.


The emails were sourced from QuadraNet, Inc colocation centers in Atlanta, LA, and Huntsville.



The mystery we haven't solved yet is how the employee's email was compromised. No spam was sent, just the DD change 
request. They did set up an In box rule that marked any responses from HR as read and moved to the Delete folder to 
prevent the victim from being tipped off.

Marty Manjak
CISO
University at Albany

From: The EDUCAUSE Security Community Group Listserv <SECURITY () LISTSERV EDUCAUSE EDU<mailto:SECURITY () LISTSERV 
EDUCAUSE EDU>> On Behalf Of King, Ronald A.
Sent: Tuesday, September 10, 2019 11:14 AM
To: SECURITY () LISTSERV EDUCAUSE EDU<mailto:SECURITY () LISTSERV EDUCAUSE EDU>
Subject: [SECURITY] Fake Direct Deposit Forms

As an FYI, I have had three reports of fake Direct Deposit requests. Two of them included completed forms. The forms 
included the victims correct address and social. Both would have redirected full paychecks to American Express National 
Bank in Salt Lake City. Attached is an image of the electronic check. Given the size of the Equifax breach and the loss 
of the pertinent info, we cannot be the only institution seeing this.

Ron

Ronald King
Chief Information Security Officer

Office of Information Technology
(757) 823-2916 (Office)
raking () nsu edu<mailto:raking () nsu edu>
www.nsu.edu<http://www.nsu.edu/>
@NSUCISO (Twitter)
[NSU_logo_horiz_tag_4c - Smaller]


**********
Replies to EDUCAUSE Community Group emails are sent to the entire community list. If you want to reply only to the 
person who sent the message, copy and paste their email address and forward the email reply. Additional participation 
and subscription information can be found at https://www.educause.edu/community

**********
Replies to EDUCAUSE Community Group emails are sent to the entire community list. If you want to reply only to the 
person who sent the message, copy and paste their email address and forward the email reply. Additional participation 
and subscription information can be found at https://www.educause.edu/community

**********
Replies to EDUCAUSE Community Group emails are sent to the entire community list. If you want to reply only to the 
person who sent the message, copy and paste their email address and forward the email reply. Additional participation 
and subscription information can be found at https://www.educause.edu/community