Recent rise in scammers attempting to reroute employee paychecks
In recent weeks, the KU Information Technology Security Office (ITSO) has seen an increase in email attacks with impersonators trying to reroute employee paychecks. Other attacks try to convince recipients to bypass normal purchasing or financial processes. These malicious emails may appear to come from a person in authority and often target human resource and finance departments. The ITSO team reminds you to be vigilant in protecting yourself and the KU community from these and other phishing attempts.
If you receive an email directing you to take action outside an established HR or finance process, do not respond and forward the email to firstname.lastname@example.org. Additionally, in the case of these messages, it is advised you verify their legitimacy by conferring with your supervisor or contacting Human Resource Management (785-864-4946 | email@example.com) or the Finance department (785.864.4904 | firstname.lastname@example.org). If you have responded to a message you believe may be malicious, contact ITSO immediately at 785-864-8080 or email@example.com.
As always, please remember that you may review your direct deposit elections in HR/Pay under Payroll and Compensation. If you have questions about your direct deposit, please contact firstname.lastname@example.org.
Please note the following red flags:
- The sender’s email address does not match the “from” line header information.
- The email address domain is anything other than “@ku.edu.”
- The subject line includes language such as “Direct Deposit Update!” or “Payroll Direct Deposit.”
- Poorly crafted emails with spelling and grammar mistakes.
- Incorrect or abbreviated signature line for the supposed sender.
- The use of full names instead of nicknames and a language structure that may not match how the supposed sender normally communicates.
- Indications that the only way to contact the sender is through email. In some cases, the emails appear to be timed to correspond with times the employee is out of the office.
- The transactions are for a new vendor or new contract.
- Internal warning banners that indicate the email is spam, spoofed or from an external source.
You and your colleagues are the best defense against malicious attacks through awareness and vigilance. Trust your suspicions when you receive messages that, for whatever reason, don’t seem quite right. We would rather get 100 genuine messages reported to email@example.com, than have one bad message get through and harm you, your colleagues or the University.