Oklahoma State University posted an advisory that faculty and staff are being targeted by cybercriminals looking to steal employee payroll information and redirect the money to their accounts. Phishing emails with salary-oriented subject lines like "Important Salary Notification" are used, which then open legitimate-looking login portals. This is a tactic used in other places recently, so be cautious of any surprise salary-related emails.
University staff and faculty are being targeted by cybercriminals
looking to acquire employee payroll direct deposit information. If
successful, the cybercriminals use this information to redirect
electronic money transfers to their own accounts. They lure their
victims by using Subject lines centered upon the topic of salary.
Some of the Subject lines investigators have uncovered are:
- Your Salary Review Documents
- Important Salary Notification
- Your Salary Raise Confirmation
- connection from unexpected IP
- RE: Mailbox has exceeded its storage limit
cybercriminals' tactic is to lure the victim to open the email because
of the attractive salary-oriented Subject line. They persuade the victim
to open malicious links, which if opened, redirect them to fraudulent
web pages that closely resemble legitimate university login portals.
avoid being a victim of this type of cybercrime, always remain vigilant
and alert to emails that look suspicious. Do not click links in
questionable emails and do not participate in any websites asking for
your credentials until you are sure the site is legitimate and safe.
(Research and Education Networking Information Sharing and Analysis
Center) created this advisory. They state that the tactics, techniques,
and procedures (TTPs) used in many of the attacks share characteristics.
- Altering direct deposit account information
- Spoofed to appear as if message came from the appropriate
department, e.g. HR for "salary increase" lures or IT department if
- Spoofed login screens that are a close replica of legitimate login screen
- Targeting of faculty and staff
- Using university images within e-mails text
- Spoofed institutional-specific prompts for additional credential information, e.g., PINS, bank account numbers
- URLs mimicking legitimate (and accessible) portal URLs
- Use of the "salary increase" approach to coincide with end of the fiscal year
educational institutions are attractive targets because they post a lot
of information about their technology environment to forward their
mission to support global research and education. As a result, attackers
can easily get the information they need to develop an attack attempt.
questions regarding this advisory can be directed to SOC@REN-ISAC.net
or contact the OSU IT Helpdesk at 405-744-7248 or email