Fighting Phishing: BU Moratorium on Changes to Direct Deposits
Employees need to go through payroll supervisors temporarily
The University is temporarily halting employees’ ability to change their direct-deposit bank accounts online. BU will use the moratorium to fortify itself against Internet scammers who have stepped up their attacks in recent weeks.
Employees wanting to change their banking information should contact their department’s payroll coordinator, says Quinn Shamblin, executive director of information security. Instructions on that process have been sent to all payroll coordinators, who are ready to help. Meanwhile, Shamblin says, the University will install “technical controls and protections” against phishers (scammers who obtain victims’ passwords and other private information with solicitations masquerading as legitimate inquiries). The ability to change deposit information online will resume “when strong protections are in place,” according to Shamblin.
Salary statements will still be available to employees via the BUworks Central portal, says Tracy Schroeder, vice president for information services and technology.
Last month, phishers sent phony emails, ostensibly from the University, asking employees for their usernames and passwords. When several obliged, the phishers used that information to reroute the employees’ paychecks. The University has reimbursed the employees for all monies lost.
Since then, “we have seen additional phishing attacks, using the same form and format” as the December con, Shamblin says. The phishers’ emails tend to be sent on weekends, “hoping that people will look at the message while at home or on their mobile phone,” outside the protections of BU’s computer network. “It is important for people to understand that there are a number of protections in place on the BU network that do not function when you view email outside of BU,” he warns. He urges employees who receive suspect emails to forward them immediately to firstname.lastname@example.org, using the instructions here. Earlier this month, Shamblin emailed a list of precautions to the University community after the December phishing attack was disclosed.
“People need to be aware of what real messages look like, including their security features,” he says. Authentic BU messages will never ask for usernames, passwords, and other confidential information, and that info should never be disclosed when an unsolicited email asks for it.
The FBI is investigating last month’s phishing incident at BU and similar scams at other universities.