CRES is forwarding this notice to its student candidates and principals. TEA received the following Education Sector Cyber Alert dated December 4, 2017 from the Multi-State Information Sharing and Analysis Center (MS-ISAC) regarding the increase in compromises of K-12 school employee direct deposit accounts. Information regarding some of the social engineering tactics malicious actors may use to collect information for the compromise are provided. The alert includes recommendations which can be implemented to limit the effect of this and similar cyber threats. Additionally, MS-ISAC provides recommended actions which should be taken if you experience a compromise of direct deposit information.
The MS-ISAC has seen an increase in cyber threat actors sending phishing emails to K-12 public education employees for the purposes of obtaining account login information. In these incidents, this information is then typically used to modify the employees’ direct deposit account information. By changing this information, the cyber threat actors reroute the employees’ paychecks to a financial account under the actors’ control. No specific payroll platforms are being targeted, as reports indicate the victims have used various platforms for payroll functionality.
Administrators should take action:
- Warn users to never provide credentials in response to an email from any source.
- Enable two-factor authentication. Otherwise require employees to change their direct deposit information through a non-electronic method with the human resources or finance departments.
- Consider notifying employees via an out-of-band communication channel when their financial information has been changed.
- Mark external emails with a banner denoting the email is from an external source. This will assist users in detecting spoofed emails.
- If you don’t have a policy regarding suspicious emails, consider creating one and specifying that all suspicious emails should be reported to the security and/or IT departments. When emails matching this pattern are detected, issue an immediate notification to all staff and where possible, remove the emails from the server.
- Consider blocking file attachments that are commonly associated with malware, such as .dll and .exe, and which cannot be thoroughly scanned by antivirus software, such as .zip files.
- Implement filters at the email gateway to filter out emails with known phishing indicators, such as known malicious subject lines, and block suspicious IP addresses at the firewall.
- Routinely review logs to determine unusual access requests, based time or location analysis.
- Provide social engineering and phishing training to employees. Urge them to not open suspicious emails, click links contained in such emails, post sensitive information online, or provide personal information to any unsolicited request. Teach users to hover over a link with their mouse to verify the destination prior to clicking on the link, as well as confirm the “reply to” section of the e-mail header matches the sender’s e-mail.
- Implement Domain-Based Message Authentication, Reporting & Conformance (DMARC), a validation system that minimizes spam emails by detecting email spoofing using Domain Name System (DNS) records and digital signatures.
(TEA’s original article can be seen on their website here.)