NEXT Generation Technology Support
March 2018
WAVE OF PAYROLL DIRECT DEPOSIT PHISHING ATTACKS MEET THE TEAM: MERRITT FLOOD LEADINGIT CULTURE: ANNIVERSARIES AND BIRTHDAYS NEW EDUCATION TOOLS ROLL OUT
GoLeadingIT.com
(815) 496-6300
WAVE OF PAYROLL DIRECT DEPOSIT PHISHING ATTACKS Lexology had an excellent post from Ogletree Deakins by Rebecca J. Bennett and Danielle Vanderzanden, related to a crafty new phishing scam they warned about and that you should be aware of, because it has bad guys in real-time behind it, reinforcing the scam with quick answers via email.
THESE SCAMS ARE AFFECTING EMPLOYERS NATIONWIDE WITHOUT REGARD TO THEIR PAYROLL PORTALS OR PAYROLL SERVICE PROVIDERS:
account, and employers are learning of the scam when employees begin reporting that they did not receive their direct deposits. By then, the damage has been done.
EMPLOYERS BEWARE: COMPANIES ARE EXPERIENCING A WAVE OF PHISHING SCAMS THAT TARGET EMPLOYEE PAYCHECKS.
In addition to diverting funds, the scam creates a data breach for the employer and triggers notification obligations. Failure to take prompt action may result in penalties and liability to unsuspecting employers.
HERE IS THE SCENARIO: ∠ An employee receives from a company email account e-mail that mimics a familiar and trusted company service or resource, such as an e-signature request or a request to complete a survey. ∠ The e-mail asks the employee to click a link, access a website, or answer a few questions. ∠ Then it directs the employee to “confirm” his or her identity by providing his or her complete log-in credentials. Skeptical employees who question the request via reply e-mail receive a prompt response purporting to verify that the employee should complete the steps contained in the link. ∠ The threat actors then use the employee’s log-in credentials to access payroll portals, reroute direct deposits to other accounts, and wreak other havoc upon the employer’s network.
EMPLOYERS MAY WANT TO IMMEDIATELY TAKE THE FOLLOWING PRECAUTIONS TO AVOID SECURITY BREACHES AS A RESULT OF THESE PHISHING SCAMS: ∠ Alert your workforce to this scam. ∠ Direct employees to forward any suspicious requests to the information technology or human resources departments, rather than replying to the e-mail. ∠ Instruct employees to refrain from supplying log-in credentials or personally identifying information in response to any e-mail. ∠ Ensure that log-in credentials used for payroll purposes differ from those used for other purposes, such as employee surveys. ∠ Enforce (or, where necessary, establish) multifactor authentication requirements. ∠ Review and update the physical, technical and personnel-related measures taken to protect your sensitive information and data. I suggest you send the following to your employees, friends, and family. You're welcome to copy, paste, and/or edit:
In some versions of the scam, hackers access employee e-mails to request a password change from the employer’s payroll service and then use the new log-in credentials to change direct deposit instructions.
There is a new Direct Deposit phishing attack you need to watch out for. It's a sophisticated scam that starts with an official-looking email that asks you to click a link and access a website. Next, they ask you to confirm the data with your real username and password. Last, they use your info to access payroll portals, and reroute your direct deposit amounts to bank accounts owned by the bad guys. The lesson here is to never give anyone your credentials in response to an email... Think Before You Click! MICROSOFT CONFIRMS: SENDING SIMULATED PHISHING ATTACKS TO YOUR EMPLOYEES IS A MUST
BENNETT AND VANDERZANDEN HAVE THE FOLLOWING RECOMMENDATIONS:
Well, Microsoft just legitimized the whole new-school security awareness training market!
The threat actors are doing substantial due diligence on the social engineering side of things, and these e-mails look real. In many circumstances, they are effectively spoofing the sender’s
I'm pleased to note that Microsoft has finally acknowledged that organizations need to send simulated phishing attacks to their employees with the announcement of a new feature called
Attack Simulator. Part of its online Office 365 offering, Attack Simulater allows an email admin to send phishing attacks to determine how employees respond. We consider the addition of Attack Simulator to Microsoft’s online Office 365 offering a win for our industry. In adding this feature, Microsoft has done what it always does: observe the market for innovative companies that create new markets, and
then include a ‘checkbox’ feature with limited functionality so that their marketing can say: ‘Yes, we do that’. Old-school security awareness training doesn’t hack it anymore. More than ever, your users are the weak link in your network security.
Meet the Team: Merritt Flood Every time I meet a new person they get a different first impression. TECH TIP YOU WISH EVERYONE KNEW? Follow instructions to a tee. Do you remember that following directions activity in school? The first or second step was to skip to the end and not do the activity. Sometimes fixing a problem is as simple as following directions step by step. WHY DO IT GUYS GET A BAD REP? Sometimes they come off as condescending, but what people don’t understand is their intention is to confirm things, not to indicate you don’t know the info. The only way to know that is going on is to ask? People tend to find questions invasive. Your IT person has to be outgoing to overcome that condescending tone. That is the biggest challenge for an IT person and will always be. You can’t change human nature. I WAS BORN IN… Mahopac, NY (fun fact: they had a real referendum on how its’ spelled) WHAT DO YOU DO AT LEADING IT? I’m on the frontlines of the Instant Support Group so I talk to the customers, answer questions. We have a saying in ISG “if it has an internet connection we work on it.” DESCRIBE LEADING IT IN THREE WORDS…
LeadingIT Culture: Anniversaries and Birthdays
Three words doesn’t do it justice. Everyone that works here has life experience beyond our years. This allows us to work with different people from different industries. We’re outgoing, which is an advantage and we’re capable of holding a conversation with anyone about anything. Our team has been friends for years too which helps. IF YOU KNOW ME YOU KNOW… I love to get to know what’s below the surface about everyone WHAT WOULD YOUR SUPERPOWER BE? Mind control WHERE WOULD YOU BE FOUND 4PM ON A SATURDAY? Hiking with anybody anywhere. I used to build trails for Benchmark Trails, a hand cut trail company. IF YOU WERE A DRINK, WHAT WOULD YOU BE? Bloody Mary…because every time you have one it's different.
Jason Jimenez
Allie Yazel
Mar 4 - 5th Anniversary
Mar 8 - Happy Birthday!
NEW EDUCATION TOOLS ROLL OUT AS NELSON MANDELA SAYS, “EDUCATION IS THE MOST POWERFUL WEAPON WHICH YOU CAN USE TO CHANGE THE WORLD.” HERE AT LEADING IT WE BELIEVE EDUCATION IS A POWERFUL WEAPON TO COMBAT CYBERSECURITY ATTACKS. EDUCATING YOUR STAFF IS THE KEY TO KEEPING YOUR COMPANY’S DATA SAFE. WE HAVE THREE NEW OFFERINGS ROLLING OUT FOR THE SPRING SEASON; BIGGER BRAINS, KNOW BE4, AND DARK WEB SCAN.
Bigger Brains In almost any office situation you will find staff using Microsoft Office every day. Many people use Microsoft Outlook, Excel and Word all day long. In most cases, these employees are not trained in Microsoft Office, and as a result it will burden the company with hidden but real costs. Lower productivity, over hiring and poor morale are all consequences of people toiling on tools they don’t understand and have not mastered. Productivity gains, smarter work and morale boosts are easy wins when people are properly trained on the Microsoft Office tools they use daily. There is a lot of training on the Internet but it's hard to distinguish the quality material from the chaff. Learners want to know that their time will be rewarded. They don’t want advertising noise during learning time. They do want an easy to find, orderly course with great material. They want to track their own progress, easily review, and assess learning materials. LeadingIT now has the ability to add more learning content from eLearning magazine award winner Bigger Brains. This would be an add-on in our Help@app that ALL of your team would have access to. A broad range of the Microsoft Office suite is covered, including new Word, Excel, Outlook, Access and Project. Exciting new products like OneDrive, Groups and Planner are covered in the comprehensive Office 365 course. The content can be watched as many times as necessary and it’s easy to track which courses have been completed. Bigger Brains allows you to give your staff the tools they need to succeed and increase results.
KnowBe4 More than ever, your users are the weak link in your network security. They need to be trained by an expert like Kevin Mitnick, and after the training stay on their toes, keeping security top of mind. KnowBe4 is the world’s most popular integrated Security Awareness Training and Simulated Phishing platform with over 15,000 customers. Based on Kevin’s 30+ year unique first-hand hacking experience, you now have a platform to better manage the urgent IT security problems of social engineering, spear-phishing and ransomware attacks. With world-class, user-friendly new-school Security Awareness Training, KnowBe4 gives you self-service enrollment, and both pre-and post-training phishing security tests that show you the percentage of end-users that are Phish-prone. BASELINE TESTING: We provide baseline testing to assess the Phish-prone percentage of your users through a free simulated phishing attack.
TRAIN YOUR USERS: The world's largest library of security awareness training content; including interactive modules, videos, games, posters and newsletters. Automated training campaigns with scheduled reminder emails. PHISH YOUR USERS: Best-in-class, fully automated simulated phishing attacks, thousands of templates with unlimited usage, and community phishing templates. SEE THE RESULTS: Enterprise-strength reporting, showing stats and graphs for both training and phishing, ready for management. Show the great ROI!
Dark Web Scan Dark Web Scan from ID Agent combines human and sophisticated Dark Web intelligence with search capabilities to identify, analyze and proactively monitor for your organization’s compromised or stolen employee and customer data.
What is it? DARK WEB THREAT ALERTS: Proactive monitoring for your organizations stolen or compromised data and real-time alerts when data is discovered COMPROMISED DATA TRACKING & REPORTING: Track and triage incidents and better manage risk within logging and reporting capabilities. COMPROMISED DATA TRENDING & BENCHMARKING: Gain insight into your organization’s current threat posture while benchmarking it against your peers and the industries that you serve. SUPPLY CHAIN THREAT MONITORING: Monitor your supply chain, third-party partners and vendors to understand the potential risk they pose to your organization. CUSTOMER MANAGEMENT: Better secure your customers by providing them actionable intelligence to help protect against potential data breaches If you would like to add any of these features or have questionslet us know! We are dedicated to keeping your staff educated and safe. Leading IT will keep updating our tool portfolio as new ones become available. Safety first!