An increase in cyber threat actors sending phishing emails to education employees for the purposes of obtaining account login information has been seen across the education sector and universities. In these incidents, this information is then typically used to modify the employees’ direct deposit account information. By changing this information, the cyber threat actors reroute the employees’ paychecks to a financial account under the actors’ control. No specific payroll platforms are being targeted, as reports indicate the victims have used various platforms for payroll functionality.
This type of attack utilizes the inherent risk behind the use of single sign-on (SSO) features. SSO allows for the use of a single set of credentials to gain access to connected systems, providing authentication, authorization, access control, and password synchronization across an environment. In these incidents the cyber threat actor usually sends education sector staff a phishing email, a PDF attachment or malicious link. The phishing email often spoofs the account of an IT administrator or senior official. Upon clicking the link or downloading the attachment, the user is prompted to enter their login credentials, which the cybercriminal uses to log into the payroll system. The cybercriminal then changes the direct deposit information for that employee so that the employee’s paycheck is sent to a different account or pre-paid credit card. According to the FBI, in some instances the cyber threat actor is also accessing the employee’s email account and creating rules that immediately forward incoming emails containing specific words to the deleted folder so the employee does not get alerted to the criminal activity.
Fordham University has certain protections in place against such attacks thanks in part to the email protection built into Gmail, email protection services from Proofpoint and DUO’s two-factor authentication. The combination of all these security aspects help protect Fordham accounts from being compromised even if one’s credentials are attained.
If you believe you have received a phishing message or similar suspicious message, please do the following:
- Do not respond to the message.
- Do not click on any attachments or links.
- Do not call the number listed.
- Do not provide any information such as username and password.
- If you did respond to the email and provided confidential information, please contact Fordham IT Customer Care ASAP at (718) 817-3999 for instructions on how to manually reset your password.
- Delete the message.
Please note: Fordham IT will NEVER ask you for your username and password or ask you to click any links to validate or verify your account or password. If you receive questionable or suspicious emails, contact IT Customer Care and allow the University Information Security Office (UISO) to validate the legitimacy of these emails.
To learn more about protecting yourself online against such phishing attacks as these and others, please take the UISO’s online course, “UISO Security Training.” The course can be accessed in Blackboard, under My Organizations. You can login to Blackboard either via the portal, at My.Fordham.edu, or directly from Fordham’s Blackboard portal.
If you have any questions or concerns, please contact IT Customer Care at (718) 817-3999 or via email to: HelpIT@fordham.edu.