Sedara Security Bulletin: Direct Deposit Phishing Scam

Overview of Vulnerability

Sedara has seen a recent uptick in direct deposit phishing scams. We’d like to share what we’ve seen and remind you of ways to protect against these scams.

In this scam, the attackers discover the format of the target organization’s email addresses. They then send emails to the target’s Business Office staff using spoofed email addresses that appear to be from an employee. The spoofed email requests an update to direct deposit information. If an employee falls for the scam, they update the information, and paychecks or other payments are redirected to the attacker’s financial account.

This scam can be prevented with simple steps to validate the request.

Sedara’s Recommendations

• Validate email requests for financial information changes, in person or by a phone call to the staff phone number in official records.
• Delay any changes to direct deposit or other financial disbursements until the transaction is validated.
• Require two levels of approval for changes to direct deposit or other financial disbursement information (e.g., the employee impacted and a Business Office manager).
• Require verbal requests for information to be submitted in writing, and validated before releasing the information or changing any records. Ensure that requests for validations are sent to the official email on record, not an address derived from the original email request on-hand.
• Review with your staff and faculty what information elements are considered public, internal use only, or protected (PII).
• If you are in doubt about a message received, or suspect you are the victim of a phishing or social engineering attack – don’t be embarrassed; contact your IT or Security Staff immediately with the details.

REMINDER: October is National Cyber Security month. Use this opportunity to raise security awareness and remind your faculty and staff about the need to protect Personal Identifiable Information.

Here are a couple of videos you can forward to the staff for education.

• SANS Security Awareness: Email and Phishing  – https://youtu.be/sEMrBKmUTPE
• Phishing – a game of deception – https://youtu.be/WNVTGTrWcvw

Want Help With a Security Incident?

Sedara can help your organization assess and address vulnerabilities and provide insight that prevents future incidents.

Get Future Compromise Alerts – Join Sedara Declassified

Subscribe to Sedara Declassified to get timely updates on new and evolving threats – and what to do about them – just like our clients do. And of course, if we can help you with anything directly, feel free to reach out.