Vade Uncovers Ongoing Direct Deposit Spear Phishing Attacks
Adrien Gendre
April 04, 2019
17 min

For some unfortunate employees, cybercriminals have found a way to make even payday a miserable experience. In a previous iteration of the direct deposit payroll phishing attack, they harvested login credentials from employees to gain access to HR and payroll platforms. Now, they’re using spear phishing techniques to get HR to do the work for them.
How it Works
The FBI first warned of direct deposit phishing back in December 2018 when a wave of targeted attacks hit the education sector, including Wichita State University, where three employees lost their paychecks. Impersonating HR staff, cybercriminals sent emails to employees requesting that they log in to the HR portal to either view a private email or view/make changes to their account.
Those emails included links to phishing sites where employees disclosed their login credentials. With those credentials in hand, cybercriminals switched the bank accounts for the payroll direct deposits. They also likely gained access to employee W2s and personally identifiable information (PII), such as social security numbers, which could be used for identity theft or other targeted attacks.
In the latest version of this attack, cybercriminals are required to do only half the work for the same payout.
The below spear phishing were emails uncovered by Vade on February 25, 2019. The cybercriminal starts the conversation casually, before providing their bank account information. This is a common approach in spear phishing that primes the victim and establishes trust before going in for the kill. This exchange is between an HR director and a cybercriminal asking her to change his direct deposit information:
Fortunately for this HR director, the cybercriminal appeared to be low on patience, and his forceful response, along with his questionable grammar, set off the HR director’s alarm. She quickly reported the incident. In many cases, though, cybercriminals will continue to work the victim until they get what they want.
In the next example uncovered by Vade in January, a cybercriminal targeted an HR assistant in the construction industry. Again, this is a multiphase attack in which the victim is primed for the setup before taking the bait. Unlike the previous examples where the sender impersonated regular employees, this sender impersonates the COO. This achieves two ends: First, it ensures a higher payout. Second, it puts social pressure on the HR assistant. Receiving a request from a prominent executive in an organization makes the victim more likely to act—and quickly.
One telltale sign of spear phishing in the above example is the AOL email address. What are the odds that your COO would email you from their personal email? Probably pretty low. But if you look closely, you’ll see that the cybercriminal sent the email from an iPad. This could lead the victim to believe the COO sent the email from their personal email by mistake. This small detail is just one of the many techniques used to trick victims.
In January, Brown University reported similar spear phishing emails from cybercriminals impersonating employees and asking HR staff to change their direct deposit information.
Why it Works
Like other phishing scams, HR spear phishing scams tend to be seasonal, with the emails focusing on topics that would be top of mind for employees and HR staff. The attacks in late 2018 and early 2019, for example, coincided with tax season, when employees are most likely to request access to W2s or other tax forms. While a request for a W2 in June might give an HR specialist pause, a request in January is to be expected—they might not give it a second thought, and that’s what cybercriminals are counting on.
HR spear phishing scams might also heat up during periods of open enrollment for health insurance or during performance review periods when employees typically receive raises and are especially eager to see their bigger paychecks deposited into their accounts.
The seasonality of these attacks is just one aspect of why they’re so successful. Unlike the emails directing employees to a phishing website, these latest spear phishing emails do not include links, which many email security solutions rely on to detect phishing. Although the sender’s email addresses in the above examples are spoofs, they’re examples of unknown, low-volume threats (in this case, a single email) and will not necessarily be flagged by an email filter. This is a rising trend we’re seeing around multiphase attacks. A common example of this is when a cybercriminal gains access to legitimate Office 365 login credentials, then spreads throughout the organization, impersonating employees and gathering more login credentials and data. This is especially difficult to detect because secure email gateways outside of Office 365 cannot scan internally.
How You Can Protect Your Business
The nature of the above spear phishing attacks makes them extremely difficult to identify using traditional email filtering technology. Without the presence of a malicious attachment or phishing link, these emails continue to flood inboxes and cause significant damage to businesses and employees.
While traditional email solutions scan for known threats, in a predictive approach to email security, unsupervised anomaly detection technology can compare the message sender to the organization’s entity model to identify alias spoofing, cousin domains, and other impersonation attempts. Natural language processing is then used to analyze the content of the email, scanning for the malicious intent and sense of urgency seen in so many spear phishing emails.
As a last line of defense, your employees should complete ongoing phishing awareness training to keep them informed of the latest threats and techniques. Structured training should be augmented with on-the-fly training. If an employee clicks on a phishing link or responds to a spear phishing email, they’re more likely to understand the ramifications of those actions if they receive immediate training and feedback.