Oklahoma State University Staff Targeted for Payroll Theft

Oklahoma State University posted an advisory that faculty and staff are being targeted by cybercriminals looking to steal employee payroll information and redirect the money to their accounts. Phishing emails with salary-oriented subject lines like "Important Salary Notification" are used, which then open legitimate-looking login portals. This is a tactic used in other places recently, so be cautious of any surprise salary-related emails.

University staff and faculty are being targeted by cybercriminals looking to acquire employee payroll direct deposit information. If successful, the cybercriminals use this information to redirect electronic money transfers to their own accounts. They lure their victims by using Subject lines centered upon the topic of salary.

Some of the Subject lines investigators have uncovered are:

- Your Salary Review Documents
- Important Salary Notification
- Your Salary Raise Confirmation
- connection from unexpected IP
- RE: Mailbox has exceeded its storage limit

The cybercriminals' tactic is to lure the victim to open the email because of the attractive salary-oriented Subject line. They persuade the victim to open malicious links, which if opened, redirect them to fraudulent web pages that closely resemble legitimate university login portals.

To avoid being a victim of this type of cybercrime, always remain vigilant and alert to emails that look suspicious. Do not click links in questionable emails and do not participate in any websites asking for your credentials until you are sure the site is legitimate and safe.

REN-ISAC (Research and Education Networking Information Sharing and Analysis Center) created this advisory. They state that the tactics, techniques, and procedures (TTPs) used in many of the attacks share characteristics.

Examples include:
- Altering direct deposit account information
- Spoofed to appear as if message came from the appropriate department, e.g. HR for "salary increase" lures or IT department if "mailbox exceeded"
- Spoofed login screens that are a close replica of legitimate login screen
- Targeting of faculty and staff
- Using university images within e-mails text
- Spoofed institutional-specific prompts for additional credential information, e.g., PINS, bank account numbers
- URLs mimicking legitimate (and accessible) portal URLs
- Use of the "salary increase" approach to coincide with end of the fiscal year

Higher educational institutions are attractive targets because they post a lot of information about their technology environment to forward their mission to support global research and education. As a result, attackers can easily get the information they need to develop an attack attempt.

Any questions regarding this advisory can be directed to SOC@REN-ISAC.net or contact the OSU IT Helpdesk at 405-744-7248 or email helpdesk@okstate.edu.