Phishing Attacks with Financial Consequences

Earlier this year, Wichita State University employees were the targets of an email phishing attack which aimed to steal their University ID credentials. Three employees unknowingly entered their login information into a fake login page when attempting to access their personal University’s myWSU account.  This provided the attackers with enough information to change the employees’ direct deposit information, preventing them receiving their scheduled paychecks. WSU acting president stated that they would make these employees whole again. It is important to remember that this type of attack can happen to anyone.

The incident illustrates the need to protect users from social engineering. In this case, a phony email disguising itself as an official WSU communication was used to trick the employees into entering their myWSU credentials into a malicious web page. This is a very common type of scam and there are a few measures users can take to protect themselves:

  • Use strong, unique passwords for each service you sign up for.
    • You wouldn’t use the same key to lock your car, home, and office. Why would you use the same password [key] to secure your important web service accounts?
    • This practice is to protect against credential stuffing, whereby an attacker who has compromised your username/login at one service (e.g., Social media account) will then attempt to use the same combination across other sensitive services (e.g., banking and payroll services).
      • TIP: If you find it difficult to manage multiple passwords across different services, consider using a reputable password manager. These services remember your password across different websites and are also capable of creating strong, lengthy passwords that are difficult to brute force. There are several reputable free password managers; however, it is often worth the cost to pay a small monetary amount each year for a more robust solution.
  • Be aware of copycat login pages.
    • Phishing pages often look similar or identical to the login page they are emulating. It is important to check the URL of the login page before entering any sensitive information.
  • Resist any scare tactics.
    • Phishing emails often convey a sense of urgency to scare users into providing information, using words like “urgent” and “immediate.” Resist these types of messages and verify the legitimacy of the request.
  • Always scrutinize emails and phone calls requesting any sensitive information.
    • The first thing you should do when someone requests your login or other sensitive information is to ask yourself, “is this expected?” If the answer is “no,” then you should verify that the request is legitimate.

One of the best ways to verify whether a request is legitimate is to either visit the website using the actual URL or call the service team using the actual phone number. This means that you should manually type in the known URL or phone number – DO NOT use any link or phone number provided in a suspected phishing email.

Remember that ExponentHR will NEVER contact you to request any sensitive information. Our priority is to provide you with the peace of mind that your data is in good hands.  And with many built-in security features already in place, ExponentHR also offers employers a variety of additional tools that are configurable to your organization’s specific needs. To learn more about these features, and further protect employees from malicious activity, contact the Enterprise Services Team today!

Rikeen Patel
Rikeen Patel

Rikeen Patel graduated in 2013 from Rhodes College with a Neuroscience degree. His work has moved him into the Security field where he has been serving as ExponentHR’s Information Security Manager since 2017.