So, here’s a new CEO Fraud phish: see these fresh screen shots from emails reported to us through the free KnowBe4 Phish Alert Button. Bad guys spoof the managing partner and CPA and an accounting & consulting firm and ask an employee for the  “Cash/Bank Statement Reconciliation” for June of this year.

 

Now, it’s not immediately clear what the bad guys could do with the data from such a statement, but this may simply be a first step of a one-two punch that is meant to establish credibility. The next step would be a malicious request for salary payment records like a pay stub that allow the bad guys to change bank accounts for direct deposit salary payment to accounts they control.

Here is another variant, where the employee seems to be willing to comply:

And here is another variant

See the payroll phish screenshot, which asks an employee at a credit union to change the email associated with another employee’s ADP account to a non-company email address.

Of course, ADP already allows employees to do this on their own: http://www2.ccga.edu/Faculty/HumanResources/ADP/files/PersonalContact.pdf

We are expecting the scheme to work like this: once the email address is changed, the bad guys who control that email address can force a password change by selecting the “I forgot my password” option on the ADP portal, change the password, then effectively hijack the account. From there they can change the direct deposit info, mine the account for identity/tax refund theft, and so forth.

Presumably this same scheme could work with similar services (SAP, Paychex, Zenefits, etc.).

The “beauty” of this approach is that targeted employees as well as their employers would remain blind to all the fraudulent changes made after the email address is switched. How often do employees tend to log in to their ADP accounts anyway? Once every few months would be my guess. Perhaps even as infrequently as once a year. Two interesting observations about this particular phish:

  1. The bad guys didn’t bother spoofing the targeted employee’s corporate email address. They used the same address submitted as a substitute.
  2. The targeted employee doesn’t appear to be very senior in the organization. So, this might be some kind of initial test to see if the scheme works.

Sjouwerman, Stu. “Scam of the Week:”Another” New CEO Fraud Phising Wrinkle” KnowBe4.com blog July 20, 2018