Be prepared – Online scammers attempt to divert employee paychecks

The FBI Internet Crime Complaint Center (IC3) has noted an increase in the number of Business Email Compromise (BEC) and Email Account Compromise (EAC) complaints related to the diversion of payroll funds. In this type of scheme, a company’s human resources or payroll department receives an email appearing to be from an employee requesting to update their direct deposit information for the current pay period. The new direct deposit information generally routes to a pre-paid card account.

Established in 2000, the IC3 is responsible for receiving and processing complaint of internet crimes. According to it’s 2019 Internet Crime Report, in the past years the IC3 received 1,707,618 complaints involving $ 10.2 Billion in total loss3es.

In 2018 the IC3 created a Recovery Asset Team (RAT) to streamline communications with financial institutions and assist FBI field offices with the recovery of funds for victims who made transfers to domestic account under fraudulent pretenses. In 2019 the IC3 received 1,307 incident complaints totaling losses of $384,237,651. The RAT was able to recover almost 80% $304,930,696, a recovery rate of almost 80%.

According to the IC3, there has been an increase in BEC complaints concerning the diversion of payroll funds. Complaints indicate that a company’s human resources or payroll department receives spoofed emails appearing to be from employees requesting a change to their direct deposit account. This is different from the payroll diversion scheme in which the subject gains access to an employee’s direct deposit account and alters the routing to another account.

In a typical example, HR or payroll representatives received emails appearing to be from employees requesting to update their direct deposit information for the current pay period. The new direct deposit information provided to HR or payroll representatives generally leads to a pre-paid card account.

Some companies reported receiving phishing emails prior to receiving requests for changes to direct deposit accounts. In these cases, multiple employees may receive the same email that contains a spoofed log-in page for an email host. Employees enter their usernames and passwords on the spoofed log-in page, which allows the subject to gather and use employee credentials to access the employees’ personal information. This makes the direct deposit requests appear legitimate.

The IC3 home-page contains a link to file complaints on-line, and also access consumer and industry fraud alerts.

Holding Government Contractors Responsible for Cybersecurity Is Trickier Than It Sounds

From Nextgov.com

The federal government wants to hold defense contractors accountable for the cybersecurity of their supply chains but that’s no easy feat, experts said Tuesday.

Industry representatives told lawmakers on the Senate Armed Services Committee about attempting to tackle cyber threats as a federal contractor. Much of the hearing was focused on one specific issue: increasingly complex levels of supply chains make it difficult for prime contractor to ensure all subcontractors are upholding cybersecurity protections. And that ever-lengthening chain increases the possibility of compromised information or cyberattacks. [Read complete article]

Cybersecurity – Skills Shortage

The International Information Systems Security Certification Consortium (ISC2) conducts an annual study to assess the cybersecurity workforce gap, better understand the barriers facing the cybersecurity professional, and uncover solutions that position these talented individuals to excel in their profession, better secure their organizations’ critical assets and achieve their career goals.

ISC2 recently published results from the 2018 Cybersecurity Workforce Study that raises concerns with the growing shortage of cybersecurity skills and that as the gap between supply and demand continues, it puts organizations at risk. [Read the full report]