Building a Digital Defense Against PII – FBI

In recent years, the FBI has seen an increase in the number of companies and institutions reporting the theft of Personally Identifiable Information or PII. This theft takes many forms—from e-mail phishing attacks, to Point-of-Sale theft, to the more advanced hacking of vulnerabilities in servers where the information is hosted. The theft of the information can happen at any time, but the effects can be felt for months or years beyond then.

This year saw a proliferation of a two distinct phishing campaigns to steal PII for Tax Fraud. The first is a variation of the business e-mail compromise scam in which a company’s executive has his or her e-mail hacked or spoofed. In a traditional business e-mail compromise scheme, the fraudster tries to convince the victim company’s finance department to make a payment to a regular vendor or send an invoice to that vendor requesting payment back. The fraudster would re-route the payment midstream and cash out.

In this case, the fraudster uses that executive’s account to send e-mails to the company’s human resources, finance, or audit department. The e-mail seemingly sent by the executive asks for employees’ PII or W-2 information, allegedly for tax or audit purposes. In some cases, the fraudsters have managed to secure sensitive financial and personal information on thousands of workers.

In the second kind of PII theft scheme that we are seeing, the employee himself is a target. We will explain more about that version of the scam in next week’s Tech Talk.

In the meantime, here are some helpful hints on what businesses can do to protect themselves:

* Set up two-factor verification systems to confirm the request and receipt of such sensitive information. This could be as simple as a phone call or a face-to-face meeting.

* Establish protocols for sensitive information requests ahead of time and outside of the e-mail environment. You don’t want a hacker who already has access to your system to know what your back-up security measures include.

* Ensure that sensitive PII and W-2 information is secured with encryption.

* Establish and maintain robust and strong security for your data, including firewalls, virus protection, and spam filters.

This week we are going to talk about a similar PII theft scam, but this one starts with a phishing campaign targeting employees themselves. In this case, the fraudster is focused on companies that use self-service platforms where employees can view their pay, W-2, and direct deposit information.

In this case, the fraudster sends an e-mail to an employee pretending to be from the company’s Human Resources department. The e-mail asks the employee to click on a provided link to log into his self-service account. The phishing e-mails often ask employees to logon to view a private e-mail from HR, to view changes made to their accounts, or to confirm that the account should not be deleted.

By clicking on the link and entering their self-service credentials, employees are actually giving their logon information to the fraudster. The fraudster can now go into the self-service account himself and access W-2 and pay stub information. He can also change the direct deposit information. In order to prevent the victim from knowing what is going on, the fraudster will also change the e-mail address that the self-service platform sends alerts to when changes are made.

No matter how the fraudster gets to your PII, his goal is to use the information to launch a series of attacks against the employees. They now are more vulnerable to fraudulent tax filings, credit card applications, loan applications, and more.

Here are ways you can help keep your employees—and their PII—safe:

* Practice good e-mail hygiene. Train your employees to watch for phishing attacks and suspicious malware links. Always checking the actual e-mail address rather than just looking at the display name can be crucial to seeing the attack early.

* Human Resources self-service platforms should have two-factor authentication. An example would be requiring users to enter a second password that is e-mailed to them or a hard token code.

* Self-Service platforms should also have alerts set up for administrators so that unusual activity may be caught before money is lost. These alerts may include banking information being changed to online banks typically used by fraudsters or alerts on TOR node IP addresses.

* Companies can set a time delay between the changing of direct deposit information in the self-service portal and the actual deposit of funds into the new account to decrease the chance of the theft of funds.