The US Postal Service’s petty cybersecurity and slow-moving bureaucracy meant that hundreds of mail carriers, handlers and service clerks fell victim to a complex direct deposit scheme that left them unpaid and angry that the federal government had failed to heed multiple warnings.
Postal leaders have played down the incident, telling USA TODAY in a statement that they were first notified in December about “unusual sign-on activity involving a limited number of employees.”
Indeed, for several months cybercriminals lured employees looking for their payroll system through a mirror-image website that reportedly tricked hundreds of employees into providing their usernames and passwords. The bad actors then used this information to log into the real system and redirect employee salaries.
That has left employees like Joe Hoagland, the Atlanta mail handler, in a big bin for cash.
When the paychecks stopped, Hoagland at first thought his credit union had screwed up. Then his payroll revealed that $900 had been embezzled. When his supervisor finally told him there was a security issue, Hoagland was furious.
“I’m the primary breadwinner in my family; that’s not a $200 check, that’s a $900 check,” Hoagland said. “They’ve known about it for weeks and have been slow to tell us.”
Unions are pushing for answers and fixes
Unions representing postal workers helped relay information and advocate in support of the PostalEASE human resources system.
The American Postal Workers Union says at least 460 of its members have lost at least one direct deposit, totaling about $1 million. About half of this money was recovered by the banks voluntarily to return the money.
Michael Martell, a spokesman for the US Postal Inspectorate, said he could not discuss the ongoing investigation. However, he noted, “The United States Postal Inspection Service has partnerships around the world to protect the Postal Service and the American public.”
“Anyone who engages in such behavior should know that they will not be detected, and will be held accountable, no matter where they are,” he said.
The perpetrators may never be caught. Experts say withdrawn funds are traditionally moved quickly through other financial networks, offshore or into cryptocurrencies, making it difficult for the justice system to keep track.
The union said an employee said the Postal Service tried to recover the misdirected money and issued them a check for what was left in the fraudulent account: $1.78. Another employee didn’t notice the problem until all of her automatic payments bounced, resulting in a $500 bank fee.
Charlie Cash, the union’s director of industrial relations, said the Postal Service had taken the position that the corporation had done nothing wrong and was therefore not at fault.
“We totally disagree,” Cash said. “A lot of these middle-class workers live paycheck to paycheck, and this happened right before Christmas.”
Cash pointed to warnings dating back to a 2013 review from the Office of the Inspector General about vulnerabilities in the human resources system that left it open to unauthorized access. Cash and the Postal Workers Union filed a complaint, known as a national dispute, and said the union is considering escalating the complaint to a national arbitrator.
A union member also alerted the Postal Service in March 2022 to a string of fake HR websites that left employees vulnerable, according to emails provided to USA TODAY. He was told to email [email protected], and though the Postal Service investigates and sends cease-and-desist letters, “sites come and go with startling frequency,” an unsigned email from the U.S. Postal Inspection Service responded.
The Postal Service denied a Freedom of Information Act request from USA TODAY to cease and desist the letters, citing commercial trade secrets. USA TODAY has appealed the ruling.
The Postal Service is sympathetic, but says it is not responsible
The official line from the Postal Service is that it notified the employees, monitored their hacked accounts, tried to recover their forwarded money and bought them a year of credit monitoring. She also said she had warned all employees about cybercriminals.
Postal Service public affairs staff declined requests from USA TODAY for an interview to answer questions about the causes and scope of the problems and ensuing changes.
However, in mid-January, the Postal Service launched its first multi-factor authentication process to access its HR site. This type of login could have prevented many unauthorized account changes because it requires the user to confirm their identity via a second device, such as a smartphone.
National cybersecurity experts say multi-factor authentication is the minimum that organizations should deploy to protect direct deposit systems. Some have described working without it as “malfunctional security practices”.
Such attacks are “tragically common,” said Kevin Goschalk, founder and CEO of cybersecurity firm Arkose Labs. He pointed to FBI reports that showed fraud and diversion accounted for $2.7 billion in losses across the United States last year.
“It’s low-risk and high-return, in part because the financial mechanisms of bank transfers mean they’re so hard to get rid of,” he said.
How can you avoid salary transfer scams?
Experts said employees should never follow a link in an email, text or search result to access a sensitive site. Instead, they must bookmark their site or manually enter the URL to avoid similar sites.
Employers should also train employees to detect phishing, implement multi-factor authentication and passwordless authentication including biometrics, and add “layered controls” that can detect phishing and “discount-in-the-middle” interceptions, Goschalk said. The scams by middlemen are part of attempts to get around multi-factor authentication by standing between the user and the entity and capturing credentials and cookies to gain access.
more:‘Beating the Bad Guys’: How an Ohio Aunt Ended an Identity Theft Scheme
For Joe Hoagland, it took navigating through a phone tree, voicemails, emails, and in-person visits with his supervisor to unpack the mess of his paychecks, which are usually automatically deposited into his checking account. He got his paper payment checks after about two months.
By then, the Postal Service identified the redirected destination for his money as the Bank of Choice in Fargo, North Dakota. As with other cases, postal employees requested funds.
Choice Bank CEO Brian Johnson confirmed to USA TODAY that fraudsters used the bank. He said the bank had frozen the accounts and started the process of returning the lost money.
Hoagland’s salary issue was resolved by March, but his identity theft problems may have just begun. He recently received cancellation notices for credit card orders for cards he never ordered.
Hoagland blames himself for his deception but says he divides accountability equally between his employers and the bad guys who target him.
“I’m a realist. I know there are scammers out there,” Hoagland said. “You just have to protect yourself and realize that (the threat) will never go away.”
Nick Benzenstadler is a reporter for USA TODAY’s investigative staff. Contact him at [email protected] or @npenzenstadler, or on Signal at (720) 507-5273.
#Fake #USPS #website #scam #targets #workers #payroll #system