Phishing Attack Aimed at Stealing Payroll Deposits
Healthcare System’s Procedures Helped Prevent the Crime
… Tom Walsh, president of consulting firm tw-Security, says that the process for making any changes to employee-related data should always require an authorization. That includes changes involving an employee’s bank and account numbers for payroll direct deposits, beneficiaries on life insurance policies and health insurance benefits.
“The employee portal makes it easier and more convenient, but the assurance that the HR department is actually communicating with the employee may have been lost for the sake of convenience,” he says. “Treat an employee portal or kiosk like an ATM machine at the bank,” he advises. “Require multifactor authentication as the authorization for handling sensitive transactions.”
To reduce the odds that phishing and other email related incidents succeed in exposing sensitive data, Walsh advises against sharing confidential information in email. “Use other secure methods for sharing information,” he says. “For example, instead of sending a spreadsheet filled with patient information as an attachment to email, store the spreadsheet on a common network drive … plus password protect the spreadsheet.”
While this creates additional steps and could be perceived as inconvenient, it helps prevent data from being exposed in the event that a user’s email gets hacked or compromised, Walsh says.
Hackers know that many people quickly respond to any type of a request that purportedly comes from executive management, Walsh adds. “This is one of the reasons why phishing emails have been so successful. Employees will bypass the normal protocols and procedures followed for making changes – even violating their own internal policies – in order to quickly respond to a request by upper management.”
Regardless of who is making a request, employees need to understand that they must “stick to and follow organizational policies,” he adds. “These processes were established to protect both the company as well as the employee – especially if the request involves money or passwords.”