An unknown scammer accessed the payroll accounts of some Boston University employees during the month of December, Boston University Police Department officials said.
Hackers used stolen information to change the bank accounts paychecks are automatically deposited into for 10 university employees, preventing the employees from accessing their paychecks, said BUPD Detective Peter DiDomenica.
“It started out with one suspicious incident of someone’s payroll check going into another account,” DiDomenica said. “And then through an audit of all the payroll records here, it was determined that there was a series of these fraudulent diversions of payroll checks based on a theory of someone going into each individual’s payroll account and changing the designated account where the money should go.”
The hackers obtained the usernames and passwords of the employees through a scam email that served as a gateway for employees to provide confidential information to what they thought was a BU program, said Executive Director of Information Security Quinn Shamblin.
“They basically sent an email to people, and the email was crafted in a clever-enough way that the people responded to the email and logged into a potentially fake website that looked like a real BU website, but was really owned by the bad guys,” Shamblin said.
The method used by the hackers, known as “phishing,” is when the hacker poses as an official organization in order to lure the victim into providing confidential information, DiDomenica said. Overall, 78 employees received an email from the hackers.
“People responded to one of these phishing emails and thought they were updating their BU employee accounts,” DiDomenica said. “They were basically giving away their passwords, and once they were obtained, their accounts were changed and their paychecks went off into other banks.”
Because the paychecks were transferred to various banks across the U.S. as well as some in Africa, the incident qualifies as an international investigation under the jurisdiction of the Federal Bureau of Investigation, DiDomenica said.
“The funds were diverted to banks all across the country,” DiDomenica said. “The IP addresses that were used to make the changes in the employees accounts are from all over the country and other countries. There’s some from Africa. It’s international in scope. This is a federal investigation, so our job is to assist the FBI with their investigation.”
BU Information Technology Services officials are also identifying methods to prevent such situations occurring in the future, Shamblin said. This includes developing a system to notify employees when changes are made to their account information.
“We’re taking a look at how we have a sense of security … and how we could get mechanisms to notify the user if the information in their account has changed, similarly to a personal bank accountant,” Shamblin said.
In the meantime, DiDomenica cautions members of the BU community to remain wary of requests to provide usernames and passwords unless they have initiated the solicitation.
“The simplest way to prevent this is, whether by telephone, email or text, never provide personal information,” DiDomenica said. “Always withhold that [personal information] unless you’ve already made some kind of inquiry or are aware that you need to provide that. Don’t reply to these requests, and if you have a question about anything, make an independent inquiry with the source of the request and confirm it first.”