Prev
Next
Forums Human Capital Management Lawson S3 HR/Payroll/Benefits

Email ACH fraud

 14 Replies
 3 Subscribed to this topic
 68 Subscribed to this forum
Sort:
Author
Messages
TheDude
Basic Member
Posts: 7
Basic Member
4/30/2018 1:45 PM

    Hello,

    We've been experiencing a wave of ACH fraud via email lately. Our employees receive a fraudulent email, accidently click on the link (even after being instructed to not do so), the hacker somehow obtains there login info. and makes ACH changes via ESS. We're currently still on Ver9 and I've confirmed with Infor there is no additional audit trail aside of PR212 or querying data from EMACHDEPST. Ideally, if the employee would simply not acknowledge the fraudulent email, we wouldn't be experiencing this issue. It's very difficult trying to determine a pattern of some sort within the data, aside of specific referenced banks in these scenarios. We're looking into implementing a possible additional layer of security with extra authentication of some sort. I'm just curious if anyone has experienced ESS fraud similar to this or has any possible suggestions? Thanks for any input. 

    Margie Gyurisin
    Veteran Member
    Posts: 538
    Veteran Member
    4/30/2018 3:00 PM
      Do you prenote new accounts? Does the employee receive an email when DD is changed? Does Payroll? Daily audits.

      Those are my ideas.
      TheDude
      Basic Member
      Posts: 7
      Basic Member
      4/30/2018 3:12 PM
        Hi Margie,

        Yup that's correct we do prenote new accounts and the employee hasn't been receiving the email confirmation, which I'm assuming is tied to the fraud. As of right now we just do daily audits of EMACHDEPST to look for anything suspicious. Thanks for input.
        JimY
        Veteran Member
        Posts: 510
        Veteran Member
        4/30/2018 3:14 PM
          We experienced the same issue over a month ago. An employee clicked on the link which took them to a page that looked just like the Infor login page. They logged in and that is how the hacker got the credentials. The hacker then went and changed the bank R/T and Account and her check was deposited in the hackers account. We are in the process of implementing Two Factor Authentication, but have not worked out all of the issues.  We are on version 10.0.9 environment and 10.0.7 application.  The Two Factor Authentication works when they log into Employee Space, but the hacker can get the URL directly to the page and log in that way without going through Two Factor.  Trying to figure out how to resolve that.  Good Luck
          Alex Tsekhansky
          Veteran Member
          Posts: 92
          Veteran Member
          5/1/2018 2:51 AM
            Some of our clients (cannot disclose the names for obvious reasons) had this issue as well. Some attacks were quite elaborate, including setting up a fake site that had some of the Lawson-like pages.
            Most of the elaborate attacks originated outside US. So, geolocation (rejecting certain type of traffic originating outside US), curtailing outside (non-VPN) access to some of the Lawson functions and implementing two-factor authentication would be the ways to control this issue.
            Two-factor authentication probably would be the most efficient way, though implementing it in an organization with say, 20,000+ people would take time. Also make sure that two-factor authentication is implemented directly in the Lawson environment to avoid the situation described by Jim above. There are discussions about it on this forum. The easiest ways include custom LDAP BIND, or built-in feature of ADFS.
            TheDude
            Basic Member
            Posts: 7
            Basic Member
            5/3/2018 12:31 PM
              Thanks for all the feedback, it's very appreciated.
              Bob Canham
              Veteran Member
              Posts: 217
              Veteran Member
              5/3/2018 12:39 PM
                We got hit with something similar a few years back. We pulled the ability to do online ACH changes completely and went back to a paper method. We have two-factor authentication in place now, but haven't discussed returning this ability to users.
                JWN
                Posts: 3
                10/30/2018 12:55 AM
                  [quote]
                  Posted By JimY on 04/30/2018 11:14 AM
                  We experienced the same issue over a month ago. An employee clicked on the link which took them to a page that looked just like the Infor login page. They logged in and that is how the hacker got the credentials. The hacker then went and changed the bank R/T and Account and her check was deposited in the hackers account. We are in the process of implementing Two Factor Authentication, but have not worked out all of the issues.  We are on version 10.0.9 environment and 10.0.7 application.  The Two Factor Authentication works when they log into Employee Space, but the hacker can get the URL directly to the page and log in that way without going through Two Factor.  Trying to figure out how to resolve that.  Good Luck
                  [/quote]
                  JWN
                  Posts: 3
                  10/30/2018 12:56 AM
                    [quote]
                    Posted By Alex Tsekhansky on 04/30/2018 10:51 PM
                    Some of our clients (cannot disclose the names for obvious reasons) had this issue as well. Some attacks were quite elaborate, including setting up a fake site that had some of the Lawson-like pages.
                    Most of the elaborate attacks originated outside US. So, geolocation (rejecting certain type of traffic originating outside US), curtailing outside (non-VPN) access to some of the Lawson functions and implementing two-factor authentication would be the ways to control this issue.
                    Two-factor authentication probably would be the most efficient way, though implementing it in an organization with say, 20,000+ people would take time. Also make sure that two-factor authentication is implemented directly in the Lawson environment to avoid the situation described by Jim above. There are discussions about it on this forum. The easiest ways include custom LDAP BIND, or built-in feature of ADFS.

                    [/quote]
                    JWN
                    Posts: 3
                    10/30/2018 12:57 AM
                      [quote]
                      Posted By TheDude on 04/30/2018 9:45 AM

                      Hello,


                      We've been experiencing a wave of ACH fraud via email lately. Our employees receive a fraudulent email, accidently click on the link (even after being instructed to not do so), the hacker somehow obtains there login info. and makes ACH changes via ESS. We're currently still on Ver9 and I've confirmed with Infor there is no additional audit trail aside of PR212 or querying data from EMACHDEPST. Ideally, if the employee would simply not acknowledge the fraudulent email, we wouldn't be experiencing this issue. It's very difficult trying to determine a pattern of some sort within the data, aside of specific referenced banks in these scenarios. We're looking into implementing a possible additional layer of security with extra authentication of some sort. I'm just curious if anyone has experienced ESS fraud similar to this or has any possible suggestions? Thanks for any input. 


                      [/quote]
                      Paul Mockenhaupt
                      New Member
                      Posts: 1
                      New Member
                      10/30/2018 12:08 PM
                        Hello,

                        There is a product available called PerimeterMFA that makes these types of phishing attacks simply go away.

                        It provides multi-factor authentication for your Infor system - both on-prem installs as well as inside Infor Cloud Suite. It installs in as little as 15 minutes, is completely self-contained, and requires zero modifications to your system of infrastructure.

                        If anyone is interested in learning more, check out https://mockenhaupt.com or shoot me an email at paul@mockenhaupt.com.

                        Thanks.

                        -Paul
                        Todd Mitchell
                        Veteran Member
                        Posts: 87
                        Veteran Member
                        10/30/2018 12:15 PM

                          We have avoided that issue by:

                          • Creating reports of ACH changes that show what has changed and to determine if the same account is used for more than 1 employee
                          • Employ 2 Factor Authentication

                           

                           

                          Joe O'Toole
                          Veteran Member
                          Posts: 314
                          Veteran Member
                          11/1/2018 1:28 PM
                            We were thinking of writing a SQL process to identify changes but found that Infor delivers some canned ProcessFlows to send email notifications about critical changes in EMSS including ACH changes. The steps to enable these are outlined in the EMSS user guide. Has anyone implemented these flows and if so were there any problems or customizations required? Thanks.
                            Margie Gyurisin
                            Veteran Member
                            Posts: 538
                            Veteran Member
                            11/1/2018 2:46 PM
                              We use the flows. It is modified somewhat. Our payroll depts. and the employee is notified.
                              Todd Mitchell
                              Veteran Member
                              Posts: 87
                              Veteran Member
                              11/1/2018 2:56 PM

                                Are these flows for Lawson Process Flow of for Infor Process Automation?  I have never used one of Lawson's canned flows, where do I find those?