Postal workers conned by cyber scam are irate

2013 audit warned about vulnerabilities in system

By: Nick Penzenstadler
USA Today

..... Paltry cybersecurity and slow moving bureaucracy at the U.S. Postal Service meant hundreds of mail carries handlers and service clerks fell victim to a complex direct deposit scheme that left them without pay and angry that the federal government had failed to heed multiple warnings.
..... Postal leaders downplayed the incident, telling USA Today in a statement that they first were notified in December [2022] about an "unusual ;og-in activity involving a limited number of employees."
..... In reality, cybercrimials had for months lured employees searching for their payroll system with a mirror-impage-like website that reportedly tricked hundred of employees into providing their usernames and passwords. The bad actors then sued that information to sign in to the real system and reroute employees; paychecks.
..... That left employees like Atlanta mail handler Joe Hoagland in a serious pinch for cash.
..... When the paychecks stopped, Hoagland initially figured his credit union had screwed up.
..... Then his pay-stub revealed $900 had been siphoned off. when his supervisor finally told him there had been a security problem, Hoagland was furious.
..... "I'm the primary breadwinner in my family; this isn't 2000 bucks, this is $900 out of my check, Hoagland said. "They knew about it for weeks and dragged their feet on telling us."

Union pushing for answers and fixes

..... Unions representing postal workers helped relay information and advocate for shoring up the PostalEASE human resource system.
..... The American Postal Workers Union says at least 460 of its members lost at least one direct deposit, for a total of about $1 million. About half of that money had been recovered by banks voluntarily returning the money.
..... Michael Martel, spokesman for the U.S. Postal Inspector, said he could not discuss the ongoing investigation. However, he said noted that the U.S. Postal Inspection Service has partnerships across the globe to protect the Postal Service and the American public."
..... "Anyone who engages in such conduct should know they will not go undetected and they will be held countable, no matter where they are located," he said.
..... The culprits may never be caught. Experts say siphoned money is traditionally moved quickly through other financial networks, offshore or into cryptocurrency, which makes it hard for the justice system to follow the trail.
..... The union said one employee says the Postal Service tired to claw back wrongly routed money and issued them a check for what remained in the fraudulent account: $1.78.
..... Another employee didn't notice the problem until all of her automatic payments bounced, which resulted in $500 in bank fees.
..... charlie Cash, the union's industrial relations director, said the Postal Service has taken the position that the institution did nothing wrong and therefore is not culpable.
..... "We completely disagree, Cash said. "A lot of these workers in the middle class live paycheck to paycheck, and this happened just before Christmas,:
..... Cash pointed to warnings dating back to a 2013 audit from the Office of Inspector General about vulnerabilities in the HR system that left it open to unauthorized access.
..... Cash and the postal workers union have filed a grievance known as a national dispute and he said the union is considering escalating the complaint to a national arbitrator.
..... A union member also alerted the Postal Service in March 2022 to the series of fake HR websites that left employees vulnerable, according to emails provided to USA TODAY. He was toled to send an email to spam@uspis.gov and, although the Postal Service investigates and sends cease and desist letters, "the sites come and go with astonishing frequency," an unsigned email from the U.S. Postal Inspection Service responded.
..... The Postal Service denied a Freedom of Information Act request from USA Y+TODAY for the cease and desist letters, citing commercial trade secrets USA TODAY has appealed the ruling.

Postal Service sympathetic but says it's not responsible

..... The official line from the Postal Service is that it modified employees,, monitored thiner compromised accounts tried to recover their rerouted money and purchased a year of credit monitoring for them. It lasso aid it warned all employees about cybercriminals.
..... Public affairs staff at the Postal Service declined requests from USA TOD for an interview to answer questions about the causes and scope of the problems and the charges that followed.
..... In mid-January, [2023] however, the Postal Service rolled out its first multi-factor HR site. That type of sing-in could have prevented many of the unauthorized account changes because it requires a user to confirm their identity va a second device, saute as smartphone.
..... National cybersecurity experts say multi-factor authentication is the bare minimum organizations should deploy to safeguard direct deposit systems. Some called operating without it "security malpractice."
..... Kevin Gosschalk, founder and CEO of cybersecurity firm Arkose Labs, said such attacks are "tragically common." He pointed to FBI reports that showed wire fraud and diversion accounted for $2.7 billion in losses across the U.S. last year. [2022]
..... "It's low-risk and high-reward," he said, "in part because the financial mechanics of wire transfers mean it's extraordinarily difficult to unwind."

How can you avoid payroll diversion scams?

..... Employees should never follow a link in an email or a text or search result to access a sensitive site, experts said. Instead, they should bookmark there site or enter a URL manually to avoid lookalike sites.
..... Employers also should train employees to detect phishing, the said, and implement multi-factor authentication and pass-wordless authentication including biometrics, and add "multi-layered controls" that can detect phishing and "adversary in the middle" interceptions, Gosschalk said. Those middleman scams are part of attempts to get around multi-factor authentication by standing between the user and entity and capturing credentials and cookies to gain access.
..... Choice Bank CEO Brian Johnson confirmed to USA TODAY that the bank was used by the scammers.
..... He said the bank in Fargo, North Dakota, has frozen accounts and begun the process of returning lost money.

HOME