The newest cybersecurity threat targeting HR and payroll systems has arrived, and they’ve been named the Payroll Pirates!
The security consulting company, Silent Push, uncovered this new trend in cybercrime and published a research report covering the topic. In this video our in-house experts Trefor Walters, Penetration tester, Shaun Hand, Head of Cybersecurity Operations, and Will North, Chief Information Security Officer will take a look at the report and give their opinions on how the Payroll Pirates operate, as well as the best methods to protect your team.
The method
Many people prefer to search for their HR and payroll platform on a search engine rather than type the URL in directly. That leaves them open to exploitation.
The payroll pirates plan revolves around brand impersonation. They’ll register a domain that looks very similar to the official one, then use search engine ads to push their domains to the top of search results.
This is where things get insidious. They’ll harvest login details of the victim, then take those details and use them to login to the actual HR system. From there, they’ll change the banking details of the person, so their pay gets routed directly to the criminals. This can often go unnoticed until it’s too late!
The solution
Education is critical. You need to train your employees to recognise the signs of a fake webpage. For example, ensure they know what your web address actually looks like! Does it end with .net or .com? Does the page look slightly different to what you’re used to. Perhaps the most important sign that a page has compromised your account is if it redirects you to the official login page after typing your credentials in. This is so the pirates can fly under the radar, and you end up thinking it was a small glitch!
One critical improvement you can make is with bookmarking. Many modern IT systems can send out bookmarks to the primary browser your employees will be using. This will remove the temptation to search for the login page, as they’ll just need to click a single button.
Multifactor authentication (MFA) is the strongest line of defence where education and preparation fail. With MFA, even if a bad actor gets a hold of your login credentials, they won’t be able to log in, unless they also have access to the person’s phone. This gives extra peace of mind, and ensures the person has time to change their password and protect themselves!
