Phishing perpetrators continue unrelenting assault on businesses in a bid to illegally gain access to extract data from companies so they can further their criminal activities. The Payroll Service Industry seems to be dealing with a new barrage of attacks that have continuously evolved and progressed in sophistication in an attempt to fool unsuspecting organizations into granting access to vital data.
Attackers seem to be stepping outside known “bait” methods or email formats that could easily be identified and flagged by using email addresses and domain names that mimic known and respected organizations like the IRS, NACHA, BBB and even USPS.
Earlier this year, the Electronic Payments Association received reports that companies and individuals were receiving fraudulent emails that appeared to have been sent from National Automated Clearing House Association (NACHA). Reported emails were sent to unsuspecting individuals and organizations advising of electronic payments that had been rejected, flagged or blocked by the Clearing House Association.
Instructions in these emails advised recipients to open attachments for more details on mentioned blocked transactions. Once the email or attachments were opened, Malware attached to the emails infected victims systems successfully completing intended task.
National Automated Clearing House Association (NACHA) released an alert in March 2011 advising organizations of the phishing emails in an excerpt taken from their website citing, they were aware of emails varying in content that appeared to be transmitted from email addresses associated with the NACHA domain (@nacha.org). These emails later began listing addresses with fictitious names of NACHA employees and or departments as shown in this example: firstname.lastname@example.org.
The notification went on to clarify that NACHA itself does not process or touch ACH transactions that flow to and from organizations and financial institutions. NACHA also does not send communications to persons or organizations about individual ACH transactions that they originate or receive. While Payroll Tax Management notified clients about these emails, complete details are available on NACHA’s website.
The Internal Revenue Service and the Federal Deposit Insurance Corporation have also released publications on their websites about phishing emails created to seem like they come from their domains and have detailed nature of emails and how to identify, contain and report problem.
So far names of the following organizations have been used in these phishing scams.
- BBB – Better Business Bureau
- FDIC – Federal Deposit Insurance Corporation
- IRS – Internal Revenue Service
- NACHA – National Automated Clearing House Association
- USPS – United States Postal Service
To protect our internal assets and client data, Payroll Tax Management (PTM) employs security software programs to monitor its system and to identify unauthorized attempts to upload or alter information. Emails procedures and training is done to equip employees with the ability to identify phishing emails. The importance of training is making everyone aware of these ever evolving phishing attacks along with better understanding of how all organizations we transact with communicate. With this knowledge it becomes that much easier for everyone to help flag suspect communication methods.
Payroll Tax Management has also implemented policies and procedures that have helped identify emails that may not have been flagged as spam but appear suspect. Continuous education and communication to employees has helped defeat these attacks. Employees are constantly aware that suspect emails with attachments and/or links to Web pages host malicious code and software. For this reason, they do not open attachments or follow Web links in unsolicited emails from unknown parties or from parties with whom they do not normally communicate.
Forwarded emails from known parties that seem suspicious or otherwise unusual are also handled the same way and verification of the messages is done first by contacting sending party by phone before actually opening. Learning about organizations that handle our transactions and their methods of communication also helps identify these fraudulent emails. The IRS and other prominent organization like NACHA or FDIC state they do not send or solicit information by email.
We hope this information helps our clients and partners protect their systems from these attacks.