Educause Security Discussion mailing list archives
Re: Fake Direct Deposit Forms
From: "Henderson, Daniel C." <dchenderson () CCIS EDU>
Date: Tue, 10 Sep 2019 18:21:19 +0000
We have had these types of attacks occur off and on for the past few years. Our payroll office had to alter their processes to ensure none of the fake DD attempts were successful. The one and only time one went through, the bank account that the attacker had set up was already closed by the time we contacted the bank in California. We found that most the time an account was compromised by a phishing email that harvested user credentials, and the attacker used our portal to login and use fill out the proper form for a new DD location. We have increased our security awareness training to try and prevent account compromises, with multiple phishing exercises yearly and knowbe4 training once a year. We have seen some success, but we know it won't be 100%. We would like to start using MFA to help in this effort as well, and hope to move towards some kind of MFA in the next few years. Caine Henderson Director of Cyber Security, Web Development, and Investigation Columbia College 573-875-4608 From: The EDUCAUSE Security Community Group Listserv <SECURITY () LISTSERV EDUCAUSE EDU> On Behalf Of Manjak, Martin Sent: Tuesday, September 10, 2019 11:29 AM To: SECURITY () LISTSERV EDUCAUSE EDU Subject: Re: [SECURITY] Fake Direct Deposit Forms CAUTION!: This email originated from outside of Columbia College. Ron, You're not. We had an incident last week where an account was compromised and used to send the DD change request to our HR department. The fake check and form also referenced an American Express National Bank account. In our case, the A/C# was 6220124014299. It was flagged because our form requires state assigned employee IDs, not SSN. The emails were sourced from QuadraNet, Inc colocation centers in Atlanta, LA, and Huntsville. The mystery we haven't solved yet is how the employee's email was compromised. No spam was sent, just the DD change request. They did set up an In box rule that marked any responses from HR as read and moved to the Delete folder to prevent the victim from being tipped off. Marty Manjak CISO University at Albany From: The EDUCAUSE Security Community Group Listserv <SECURITY () LISTSERV EDUCAUSE EDU<mailto:SECURITY () LISTSERV EDUCAUSE EDU>> On Behalf Of King, Ronald A. Sent: Tuesday, September 10, 2019 11:14 AM To: SECURITY () LISTSERV EDUCAUSE EDU<mailto:SECURITY () LISTSERV EDUCAUSE EDU> Subject: [SECURITY] Fake Direct Deposit Forms As an FYI, I have had three reports of fake Direct Deposit requests. Two of them included completed forms. The forms included the victims correct address and social. Both would have redirected full paychecks to American Express National Bank in Salt Lake City. Attached is an image of the electronic check. Given the size of the Equifax breach and the loss of the pertinent info, we cannot be the only institution seeing this. Ron Ronald King Chief Information Security Officer Office of Information Technology (757) 823-2916 (Office) raking () nsu edu<mailto:raking () nsu edu> www.nsu.edu<http://www.nsu.edu/> @NSUCISO (Twitter) [NSU_logo_horiz_tag_4c - Smaller] ********** Replies to EDUCAUSE Community Group emails are sent to the entire community list. If you want to reply only to the person who sent the message, copy and paste their email address and forward the email reply. Additional participation and subscription information can be found at https://www.educause.edu/community ********** Replies to EDUCAUSE Community Group emails are sent to the entire community list. If you want to reply only to the person who sent the message, copy and paste their email address and forward the email reply. Additional participation and subscription information can be found at https://www.educause.edu/community ********** Replies to EDUCAUSE Community Group emails are sent to the entire community list. If you want to reply only to the person who sent the message, copy and paste their email address and forward the email reply. Additional participation and subscription information can be found at https://www.educause.edu/community
Current thread:
- Fake Direct Deposit Forms King, Ronald A. (Sep 10)
- Re: Fake Direct Deposit Forms Stevenson,Katherine Talia (Sep 10)
- Re: Fake Direct Deposit Forms Barton, Robert W. (Sep 10)
- Re: Fake Direct Deposit Forms Manjak, Martin (Sep 10)
- Re: Fake Direct Deposit Forms Henderson, Daniel C. (Sep 10)
- Re: Fake Direct Deposit Forms Dickey, A. (Antoinette) (Sep 10)
- Re: Fake Direct Deposit Forms Manjak, Martin (Sep 11)
- Re: Fake Direct Deposit Forms David Escalante (Sep 11)
- Message not available
- Re: Fake Direct Deposit Forms Jesse Thompson (Sep 11)
- Re: Fake Direct Deposit Forms Henderson, Daniel C. (Sep 10)
- Re: Fake Direct Deposit Forms Stevenson,Katherine Talia (Sep 10)
- Re: Fake Direct Deposit Forms Scott Gennari (Sep 19)