Beware of ‘payroll pirates’: Top MSU officials warn to avoid phishing attacks, protect finances with vigilant information security habits
Today’s technologies carry much reward, but two Mississippi State information officers are warning the university community of real and present risks that have costly financial impacts.
Recent phishing attacks -- involving cyber criminals using deception, urgency, and advanced social engineering tactics to trick victims into unwittingly compromising personal information such as usernames, passwords, and even Duo Mobile two-factor authentication access codes -- are signs that everyone should be vigilant to learn more about and utilize safe information security practices.
MSU employees have not been immune to recent national trends involving “payroll pirate” attacks. MSU Chief Information Security Officer Tom Ritter said these are sophisticated efforts to bait unsuspecting victims to compromise their information security, such as secure network access. In a few recent cases, this has allowed direct deposit account redirection and theft of payroll funds.
A recent Microsoft Security article explains the scenario as “a financially motivated threat actor ... compromising employee accounts to gain unauthorized access to employee profiles and divert salary payments to attacker-controlled accounts.” This tactic has impacted higher education institutions across the country in recent weeks and months.
MSU’s CIO Trey Breckenridge confirmed that four university employees have discovered missing paycheck deposits. These incidents were not caused by an institutional security breach, but by advanced social engineering tactics leading to user error in not adequately recognizing or preventing a threat, thereby unintentionally compromising secure access. MSU has assisted each victim in reporting and correcting the problem; however, stolen money is harmful to employees and institutions.
The Microsoft article cites payroll pirate attacks targeting at least 25 universities nationwide this year. “The threat actor used realistic phishing emails, targeting accounts at multiple universities, to harvest credentials,” it states.
MSU leaders aim to further prepare employees to be harder targets by recognizing warning signs and adopting better information security habits. The university requires employees to complete annual training on this topic, and the Infosec IQ module remains available for additional review in the employee training section of the myState portal.
Ritter said phishing attackers use seemingly legitimate subject lines and plausible email content, with some messaging themes including illnesses or outbreaks on campus, faculty misconduct and other human resources issues, or directives to update passwords or take other action. These messages are designed with the intention of getting email recipients to click a link, sometimes including links to Google documents, that redirect to an attacker-controlled domain.
Ritter said the nefarious social engineers have developed elaborate, multi-step tactics which now involve a “man-in-the-middle” interceptor with the capability of capturing Duo Mobile two-factor authentication access codes when a user erroneously types these into a malicious website. He said it is imperative that all university users pay close attention to URL web addresses, because scammers can build websites that appear identical to the legitimate sites they mirror. When a phishing victim clicks onto an illegitimate website without realizing it, and when this generates a deceptive prompt for a Duo Mobile two-factor authentication code, the “man in the middle” threat actor then can capture the code needed for authentication and complete the information security breach, often without the victim realizing what happened.
Furthermore, Ritter said the scam additionally involves the threat actor creating email inbox rules to prevent victims from receiving warning notification messages when account changes are made. Victims may not see any noticeable red flags until their paychecks fail to deposit in their accounts.
“The bank account information needed to complete the payroll deposit redirection also can be stolen from email content. Once a threat actor has access to emails, often they can simply find bank statements with the information they need,” Ritter said. “The tactics have advanced in steps and sequence, and users must be even more vigilant about protecting themselves and the university.”
To block payroll pirate attacks, Ritter said always use these best information security practices:
—Keep a healthy suspicion of unexpected emails, even those that sound legitimate or could impersonate a credible source, such as a university leader. Pay attention to email addresses and URL links.
—If phishing is suspected, or if a user wants to err on the side of caution and ask Information Technology Services to verify the email’s legitimacy, forward the message to servicedesk@msstate.edu.
—Be cautious of all requests for personal information. Confirm requests by taking independent action—not by replying to the email.
—Maintain strong passwords and change them regularly. A strong password should be at least 16 characters long, though longer is better, and consist of a mix of uppercase letters, lowercase letters, numbers, and symbols.
—Utilize unique passwords for each account. Secure password managers are effective in generating and storing strong, unique passwords while promoting good security habits and password safety.
—Beware of unexpected Duo Mobile two-factor authentication prompts. Duo Mobile prompts now include location origination information, so users can beware when an unexpected location displays on their screen when it prompts for a code.
—Never leave devices unattended in public.
—Make regular backup copies of all data.
—Keep work email and personal email separate. Attackers who breached individual security access have been able to answer banking verification questions from content within the victims’ work email accounts.
While MSU leaders are emphasizing awareness regarding the recent payroll pirate attacks, employees also should guard against phishing phone calls, texts and social media messages. Scammers are actively pursuing access to steal funds and data from any and every point of access.
Contact MSU’s ITS Service Desk for questions and assistance at 662-325-0631 or 888-398-6394 or servicedesk@msstate.edu.
Mississippi State University is taking care of what matters. Learn more at www.msstate.edu.
Allison Matthews | Public Affairs
