Email Compromises Target Executives for Payroll Diversion Scams

In September 2018, the FBI warned about payroll diversion in which fraudsters change financial account information for direct deposits. Agari saw an increasing frequency of these tactics throughout the last quarter.

Foster City, Calif.-based Agari, which uses predictive artificial intelligence to stop advanced email attacks, identified this as an evolution of business email compromise attacks, in a blog released Tuesday.

In its alert the Internet Crime Complaint Center, explained it received complaints reporting cybercriminals targeting the online payroll accounts of employees in a variety of industries. Institutions most affected are education, healthcare, and commercial airway transportation.

“Cybercriminals target employees through phishing emails designed to capture an employee’s login credentials,” The IC3 public service announcement maintained. “Once the cybercriminal has obtained an employee’s credentials, the credentials are used to access the employee’s payroll account in order to change their bank account information. Rules are added by the cybercriminal to the employee’s account preventing the employee from receiving alerts regarding direct deposit changes. Direct deposits are then changed and redirected to an account controlled by the cybercriminal, which is often a prepaid card.”

In the blog, James Linton, Agari threat researcher, pointed out, “Human resources departments are the epitome of task ownership, carefully and efficiently connecting an organization’s needs with that of its employees. Employees in HR are tasked with recruitment, onboarding, and employee relations, and oftentimes handle payroll and benefits.” He noted, because of their extensive reach, threat actors are now turning to this organizational pipeline as they continue to change their employee-to-employee attack vectors.

The Agari Cyber Intelligence Division recently observed a considerable increase in attempts to divert payroll through social engineering techniques. Linton noted these criminal gangs invested a great deal of resources into researching and establishing organizational hierarchies, and are undoubtedly looking to secure a return on that investment, even if a previous attempt at business email compromise has proven unsuccessful.

“Assuming the identity of the CEO seems to be the preferred tactic for the threat actors, but there is no reason that this type of attack cannot utilize the identity and role of any employee within a company,” Linton said. “As the primary aim is to divert a monthly salary payment to a bank account the criminal gang controls, it’s logical they would ideally purport to be those most likely to receive the highest compensation.”

The Agari blog observed, like with most other BEC attacks, adversaries set up a temporary email account and switch the display name to the name of the individual they are attempting to impersonate. Once the fraudulent account has been created, an email is sent to someone within the payroll organization—typically within the finance or human resources departments.

The blog provided several examples of the scam in action. In one email, the attacker requested a change to their existing payroll direct deposit account details and asked what is required to process the change.

“From this point, the threat actor will be thinking on their feet to a certain extent; their main aim is to avoid being directed to any online third-party HR solution that would require access details they do not possess,” the blog explained. “Knowing this, any attempts to add undue urgency or absolve themselves of the ability to complete the usual process should immediately trigger a red flag.” Agari also noted threat actors are not fazed when asked to provide a voided check displaying accounts details, and have successfully provided these when requested of them.

“By avoiding third-party systems and asking for help from the human resources employee, the threat actor can control the entire situation and successfully divert pay into the fake account they own,” Linton said. “Depending on how the real employee checks their bank account, this scheme can continue for weeks, or even months, before the attack is caught.”

Agari advises all organizations to evaluate their current processes for updating payroll details. “If a two-factor online system is not being used, we recommend ensuring an element of human contact is established before completion of the request, in addition to checking that email address is from a legitimate source. As with all email attacks, one can never be too careful.”