FBI Warns Employers of Phishing Attacks, Offers Recommendations

Implementing frequent and targeted phishing tests can prevent payroll security breaches, a Federal Bureau of Investigation agent told payroll professionals on March 21.

Phishing attacks are among the biggest threat to employers as criminals have greater access to publicly available information. Criminals are increasingly relying on this data to craft specifically targeted attacks aimed at replicating an employer’s internal communications. In 2022, the FBI reported the highest annual loss from online scams in the last five years.

Criminals are crafting targeted emails with publicly available information to trick employers, said Kyriokos Vassilakos, a special agent with the FBI’s Criminal and Cyber division.

“People are your greatest vulnerability,” he said. “We’re seeing more random text messages. Take a moment to look at the message.”

Criminals generally prioritize sensitive employee data, which can be leveraged and quickly monetized, Vassilakos said at the American payroll Association’s Capital Summit in Arlington, Virginia. Given the desire to quickly monetize data, criminals generally focus on Social Security numbers and pay information.

Companies can prevent data breaches by training employees to identify phishing attacks, he said. Vassilakos cautioned against an excessive reliance on annual trainings. “Annual trainings aren’t impactful to anybody.” Employers should instead focus on frequent and targeted phishing tests, using examples and language that employees would realistically see.

Frequent phishing tests should be used to educate employees. “Trainings aren’t meant to shame people,” he said. “The purpose is awareness.”

The rise of remote work has led to an increase in employer data breaches. “It’s important for companies to have tools for security,” he said. “At home, routers should be password protected, and your password shouldn’t be ‘password.’” Vassilakos recommends the use of VPN on all work laptops, and if possible, employers should avoid bring-your-own-device policies.

Criminals are also resorting to social engineering to access sensitive payroll data, frequently replicating outside corporations. “They’ll send you something that looks like it’s from Intuit but is more likely ‘intuits,’” he said. “Grab coffee and be alert before opening your morning emails.”

Vassilakos also cautioned employers who rely on third parties to process sensitive payroll data. “Whenever you add a new avenue for the direct deposit of funds, make sure that avenue is secure.” Employers should take the time to thoroughly research the entities to whom they give data.

Data should be segmented and stored away from other information that’s exposed, preferably on a cloud system.

Recommendations

If an employer suspects a cyberattack has occurred, they should “Immediately inform IC3.gov,” Vassilakos said, referring to the FBI’s Internet Crime Complaint Center. “Were going to want to know the employer’s financial institution and the fraudster’s institution.”

Notice to authorities is crucial, as the FBI will only initiate an investigation if “attorneys and the employer have given consent,” he said. “The FBI won’t just come in and investigate.”

Prompt reporting is essential in the event of a cyberattack, as the FBI can generally “recover funds 75% of the time” when suspicious activity is reported within 48 hours, he said. “If it’s been more than 72 hours, put the report in, but [the funds] will be gone.”

Vassilakos also stressed the importance of having a plan in place in the event of a cyberattack. “Will you use phones to communicate? How will the breach be communicated to employees? Who is your instant response team,” he said. Employers should have redundancies in place for paying employees in the event direct deposits are taken offline.

Passwords are essential to data protection, “if you’re transmitting sensitive data, use actual passwords,” he said. “And please, don’t use ‘1234.’”

In the event of a reported cyberattack, Vassilakos noted the importance of discretion. “We hold the relationship with the victims to be very sacred,” he said. “The FBI will not give information to civil litigators.”

When data is stolen, the agency recommends against paying ransoms, he said, but noted that, “at the end of the day, it’s a business decision.”