FBI Portland
Portland Media Office
(503) 460-8060
June 13, 2017

FBI Tech Tuesday - Building a Digital Defense Against PII (Part 2)

Last week, we talked about a cyber scheme the FBI is seeing a lot of these days. It is a version of the business e-mail compromise scam in which the fraudster pretends to be an executive within the victim company. He convinces the HR or finance department to give him Personally Identifying Information—or PII—about the employees—allegedly for tax or audit purposes.

This week we are going to talk about a similar PII theft scam, but this one starts with a phishing campaign targeting employees themselves. In this case, the fraudster is focused on companies that use self-service platforms where employees can view their pay, W-2, and direct deposit information.

In this case, the fraudster sends an e-mail to an employee pretending to be from the company’s Human Resources department. The e-mail asks the employee to click on a provided link to log into his self-service account. The phishing e-mails often ask employees to logon to view a private e-mail from HR, to view changes made to their accounts, or to confirm that the account should not be deleted.

By clicking on the link and entering their self-service credentials, employees are actually giving their logon information to the fraudster. The fraudster can now go into the self-service account himself and access W-2 and pay stub information. He can also change the direct deposit information. In order to prevent the victim from knowing what is going on, the fraudster will also change the e-mail address that the self-service platform sends alerts to when changes are made.

No matter how the fraudster gets to your PII, his goal is to use the information to launch a series of attacks against the employees. They now are more vulnerable to fraudulent tax filings, credit card applications, loan applications, and more.

Here are ways you can help keep your employees—and their PII—safe:

* Practice good e-mail hygiene. Train your employees to watch for phishing attacks and suspicious malware links. Always checking the actual e-mail address rather than just looking at the display name can be crucial to seeing the attack early.

* Human Resources self-service platforms should have two-factor authentication. An example would be requiring users to enter a second password that is e-mailed to them or a hard token code.

* Self-Service platforms should also have alerts set up for administrators so that unusual activity may be caught before money is lost. These alerts may include banking information being changed to online banks typically used by fraudsters or alerts on TOR node IP addresses.

* Companies can set a time delay between the changing of direct deposit information in the self-service portal and the actual deposit of funds into the new account to decrease the chance of the theft of funds.

For more information on e-mail security concerns or other cyber crimes, check out the FBI’s website at www.fbi.gov or the FBI’s Internet Crime Complaint Center at www.ic3.gov. For Tax Fraud Reporting and Information go to www.irs.gov.