Cybercriminals posing as HR staff have set their sights on a new target: online payroll accounts, the US Federal Bureau of Investigation (FBI) warned.
Hackers are attempting to dupe unsuspecting employees into giving up their payroll information, such as their bank account number and passcode, through a phishing scam, authorities from the FBI’s Internet Crime Complaint Center (IC3) said.
The phishing scam starts off as an email from HR personnel asking the account owner to update or verify their direct deposit credentials.
The fake message prompts the account owner to click on a link to a dummy website – presumably a mock-up of a company’s employee portal – where the account owner will be forced to enter their username and password.
“Once the cybercriminal has obtained an employee’s credentials, the credentials are used to access the employee’s payroll account in order to change their bank account information,” the FBI said
Cybercriminals take the extra step of locking out employees from their own account.
“Rules are added by the cybercriminal to the employee’s account preventing the employee from receiving alerts regarding direct deposit changes,” investigators said. “Direct deposits are then changed and redirected to an account controlled by the cybercriminal, which is often a prepaid card.”
The FBI is urging HR personnel to alert their workforce to the phishing scam. Employees should also refrain from supplying account details in response to email prompts, and should set up two-factor authentication on their account.
Authorities said employees from the education, health care, and transport sectors have been affected.