PrevPrev Go to previous topic
NextNext Go to next topic
Last Post 11/01/2018 10:56 AM by  Todd Mitchell
Email ACH fraud
 14 Replies
Sort:
You are not authorized to post a reply.
Author Messages
TheDude
Payroll IS Analyst
Private
Basic Member
(14 points)
Basic Member
Posts:6


Send Message:

--
04/30/2018 9:45 AM

    Hello,

    We've been experiencing a wave of ACH fraud via email lately. Our employees receive a fraudulent email, accidently click on the link (even after being instructed to not do so), the hacker somehow obtains there login info. and makes ACH changes via ESS. We're currently still on Ver9 and I've confirmed with Infor there is no additional audit trail aside of PR212 or querying data from EMACHDEPST. Ideally, if the employee would simply not acknowledge the fraudulent email, we wouldn't be experiencing this issue. It's very difficult trying to determine a pattern of some sort within the data, aside of specific referenced banks in these scenarios. We're looking into implementing a possible additional layer of security with extra authentication of some sort. I'm just curious if anyone has experienced ESS fraud similar to this or has any possible suggestions? Thanks for any input. 

    Margie Gyurisin
    Private
    Private
    Veteran Member
    (1434 points)
    Veteran Member
    Posts:538


    Send Message:

    --
    04/30/2018 11:00 AM
    Do you prenote new accounts? Does the employee receive an email when DD is changed? Does Payroll? Daily audits.

    Those are my ideas.
    TheDude
    Payroll IS Analyst
    Private
    Basic Member
    (14 points)
    Basic Member
    Posts:6


    Send Message:

    --
    04/30/2018 11:12 AM
    Hi Margie,

    Yup that's correct we do prenote new accounts and the employee hasn't been receiving the email confirmation, which I'm assuming is tied to the fraud. As of right now we just do daily audits of EMACHDEPST to look for anything suspicious. Thanks for input.
    JimY
    Private
    Private
    Veteran Member
    (1438 points)
    Veteran Member
    Posts:510


    Send Message:

    --
    04/30/2018 11:14 AM
    We experienced the same issue over a month ago. An employee clicked on the link which took them to a page that looked just like the Infor login page. They logged in and that is how the hacker got the credentials. The hacker then went and changed the bank R/T and Account and her check was deposited in the hackers account. We are in the process of implementing Two Factor Authentication, but have not worked out all of the issues.  We are on version 10.0.9 environment and 10.0.7 application.  The Two Factor Authentication works when they log into Employee Space, but the hacker can get the URL directly to the page and log in that way without going through Two Factor.  Trying to figure out how to resolve that.  Good Luck
    Alex Tsekhansky
    Private
    Private
    Veteran Member
    (276 points)
    Veteran Member
    Posts:92


    Send Message:

    --
    04/30/2018 10:51 PM
    Some of our clients (cannot disclose the names for obvious reasons) had this issue as well. Some attacks were quite elaborate, including setting up a fake site that had some of the Lawson-like pages.
    Most of the elaborate attacks originated outside US. So, geolocation (rejecting certain type of traffic originating outside US), curtailing outside (non-VPN) access to some of the Lawson functions and implementing two-factor authentication would be the ways to control this issue.
    Two-factor authentication probably would be the most efficient way, though implementing it in an organization with say, 20,000+ people would take time. Also make sure that two-factor authentication is implemented directly in the Lawson environment to avoid the situation described by Jim above. There are discussions about it on this forum. The easiest ways include custom LDAP BIND, or built-in feature of ADFS.
    TheDude
    Payroll IS Analyst
    Private
    Basic Member
    (14 points)
    Basic Member
    Posts:6


    Send Message:

    --
    05/03/2018 8:31 AM
    Thanks for all the feedback, it's very appreciated.
    Bob Canham
    Private
    Private
    Veteran Member
    (593 points)
    Veteran Member
    Posts:215


    Send Message:

    --
    05/03/2018 8:39 AM
    We got hit with something similar a few years back. We pulled the ability to do online ACH changes completely and went back to a paper method. We have two-factor authentication in place now, but haven't discussed returning this ability to users.
    JWN
    Private
    Private
    (9 points)
    Posts:3


    Send Message:

    --
    10/29/2018 8:55 PM
    [quote]
    Posted By JimY on 04/30/2018 11:14 AM
    We experienced the same issue over a month ago. An employee clicked on the link which took them to a page that looked just like the Infor login page. They logged in and that is how the hacker got the credentials. The hacker then went and changed the bank R/T and Account and her check was deposited in the hackers account. We are in the process of implementing Two Factor Authentication, but have not worked out all of the issues.  We are on version 10.0.9 environment and 10.0.7 application.  The Two Factor Authentication works when they log into Employee Space, but the hacker can get the URL directly to the page and log in that way without going through Two Factor.  Trying to figure out how to resolve that.  Good Luck
    [/quote]
    JWN
    Private
    Private
    (9 points)
    Posts:3


    Send Message:

    --
    10/29/2018 8:56 PM
    [quote]
    Posted By Alex Tsekhansky on 04/30/2018 10:51 PM
    Some of our clients (cannot disclose the names for obvious reasons) had this issue as well. Some attacks were quite elaborate, including setting up a fake site that had some of the Lawson-like pages.
    Most of the elaborate attacks originated outside US. So, geolocation (rejecting certain type of traffic originating outside US), curtailing outside (non-VPN) access to some of the Lawson functions and implementing two-factor authentication would be the ways to control this issue.
    Two-factor authentication probably would be the most efficient way, though implementing it in an organization with say, 20,000+ people would take time. Also make sure that two-factor authentication is implemented directly in the Lawson environment to avoid the situation described by Jim above. There are discussions about it on this forum. The easiest ways include custom LDAP BIND, or built-in feature of ADFS.

    [/quote]
    JWN
    Private
    Private
    (9 points)
    Posts:3


    Send Message:

    --
    10/29/2018 8:57 PM
    [quote]
    Posted By TheDude on 04/30/2018 9:45 AM

    Hello,


    We've been experiencing a wave of ACH fraud via email lately. Our employees receive a fraudulent email, accidently click on the link (even after being instructed to not do so), the hacker somehow obtains there login info. and makes ACH changes via ESS. We're currently still on Ver9 and I've confirmed with Infor there is no additional audit trail aside of PR212 or querying data from EMACHDEPST. Ideally, if the employee would simply not acknowledge the fraudulent email, we wouldn't be experiencing this issue. It's very difficult trying to determine a pattern of some sort within the data, aside of specific referenced banks in these scenarios. We're looking into implementing a possible additional layer of security with extra authentication of some sort. I'm just curious if anyone has experienced ESS fraud similar to this or has any possible suggestions? Thanks for any input. 


    [/quote]
    Paul Mockenhaupt
    President/CEO
    Private
    New Member
    (3 points)
    New Member
    Posts:1


    Send Message:

    --
    10/30/2018 8:08 AM
    Hello,

    There is a product available called PerimeterMFA that makes these types of phishing attacks simply go away.

    It provides multi-factor authentication for your Infor system - both on-prem installs as well as inside Infor Cloud Suite. It installs in as little as 15 minutes, is completely self-contained, and requires zero modifications to your system of infrastructure.

    If anyone is interested in learning more, check out https://mockenhaupt.com or shoot me an email at paul@mockenhaupt.com.

    Thanks.

    -Paul
    Todd Mitchell
    Senior IT Specialist
    Gordon Food Service
    Veteran Member
    (207 points)
    Veteran Member
    Posts:87


    Send Message:

    --
    10/30/2018 8:15 AM

    We have avoided that issue by:

    • Creating reports of ACH changes that show what has changed and to determine if the same account is used for more than 1 employee
    • Employ 2 Factor Authentication

     

     

    Joe O'Toole
    Private
    Private
    Veteran Member
    (802 points)
    Veteran Member
    Posts:312


    Send Message:

    --
    11/01/2018 9:28 AM
    We were thinking of writing a SQL process to identify changes but found that Infor delivers some canned ProcessFlows to send email notifications about critical changes in EMSS including ACH changes. The steps to enable these are outlined in the EMSS user guide. Has anyone implemented these flows and if so were there any problems or customizations required? Thanks.
    Margie Gyurisin
    Private
    Private
    Veteran Member
    (1434 points)
    Veteran Member
    Posts:538


    Send Message:

    --
    11/01/2018 10:46 AM
    We use the flows. It is modified somewhat. Our payroll depts. and the employee is notified.
    Todd Mitchell
    Senior IT Specialist
    Gordon Food Service
    Veteran Member
    (207 points)
    Veteran Member
    Posts:87


    Send Message:

    --
    11/01/2018 10:56 AM

    Are these flows for Lawson Process Flow of for Infor Process Automation?  I have never used one of Lawson's canned flows, where do I find those?

    You are not authorized to post a reply.