Fiscal Management urges all agencies to review and further strengthen internal processes and procedures for requesting system or security changes. To avoid security threats, it is best to validate requests by a method other than email.
In the past, hackers harvested credentials such as user IDs, passwords, email addresses, etc., then used the credentials to access systems and gather data or other sensitive information.
Now, hackers target the credential with the most transparency — email addresses. They hijack an email account, change the password, then use the email address to request the agency to provide sensitive information or make detrimental changes to the user’s profile, such as changing direct deposit instructions.
This is what makes these hacks so dangerous. Everything about the email appears legitimate, because it is. Since the email account is compromised, the traditional strategy of training users to identify illegitimate email will not work. Only a second level of validation will ensure the instructions received were from the intended user.
See Fraud Prevention Recommendations for more tips, or contact your agency’s information security office for more information and/or to discuss and implement security improvements for your agency.