Email ACH fraud - LawsonGuru.com - LawsonGuru.com Forums

Name	Points
Greg Moeller	4184
David Williams	3349
JonA	3288
Kat V	2984
Woozy	1973
Jimmy Chiu	1883
Kwane McNeal	1437
Ragu Raghavan	1348
Roger French	1311
mark.cook	1244

TheDude

Basic Member

Posts: 7

4/30/2018 1:45 PM

Hello,

We've been experiencing a wave of ACH fraud via email lately. Our employees receive a fraudulent email, accidently click on the link (even after being instructed to not do so), the hacker somehow obtains there login info. and makes ACH changes via ESS. We're currently still on Ver9 and I've confirmed with Infor there is no additional audit trail aside of PR212 or querying data from EMACHDEPST. Ideally, if the employee would simply not acknowledge the fraudulent email, we wouldn't be experiencing this issue. It's very difficult trying to determine a pattern of some sort within the data, aside of specific referenced banks in these scenarios. We're looking into implementing a possible additional layer of security with extra authentication of some sort. I'm just curious if anyone has experienced ESS fraud similar to this or has any possible suggestions? Thanks for any input.

Margie Gyurisin

Veteran Member

Posts: 538

4/30/2018 3:00 PM

Do you prenote new accounts? Does the employee receive an email when DD is changed? Does Payroll? Daily audits.

Those are my ideas.

TheDude

Basic Member

Posts: 7

4/30/2018 3:12 PM

Hi Margie,

Yup that's correct we do prenote new accounts and the employee hasn't been receiving the email confirmation, which I'm assuming is tied to the fraud. As of right now we just do daily audits of EMACHDEPST to look for anything suspicious. Thanks for input.

JimY

Veteran Member

Posts: 510

4/30/2018 3:14 PM

We experienced the same issue over a month ago. An employee clicked on the link which took them to a page that looked just like the Infor login page. They logged in and that is how the hacker got the credentials. The hacker then went and changed the bank R/T and Account and her check was deposited in the hackers account. We are in the process of implementing Two Factor Authentication, but have not worked out all of the issues. We are on version 10.0.9 environment and 10.0.7 application. The Two Factor Authentication works when they log into Employee Space, but the hacker can get the URL directly to the page and log in that way without going through Two Factor. Trying to figure out how to resolve that. Good Luck

Alex Tsekhansky

Veteran Member

Posts: 92

5/1/2018 2:51 AM

Some of our clients (cannot disclose the names for obvious reasons) had this issue as well. Some attacks were quite elaborate, including setting up a fake site that had some of the Lawson-like pages.
Most of the elaborate attacks originated outside US. So, geolocation (rejecting certain type of traffic originating outside US), curtailing outside (non-VPN) access to some of the Lawson functions and implementing two-factor authentication would be the ways to control this issue.
Two-factor authentication probably would be the most efficient way, though implementing it in an organization with say, 20,000+ people would take time. Also make sure that two-factor authentication is implemented directly in the Lawson environment to avoid the situation described by Jim above. There are discussions about it on this forum. The easiest ways include custom LDAP BIND, or built-in feature of ADFS.

TheDude

Basic Member

Posts: 7

5/3/2018 12:31 PM

Thanks for all the feedback, it's very appreciated.

Bob Canham

Veteran Member

Posts: 217

5/3/2018 12:39 PM

We got hit with something similar a few years back. We pulled the ability to do online ACH changes completely and went back to a paper method. We have two-factor authentication in place now, but haven't discussed returning this ability to users.

JWN

Posts: 3

10/30/2018 12:55 AM

[quote]
Posted By JimY on 04/30/2018 11:14 AM
We experienced the same issue over a month ago. An employee clicked on the link which took them to a page that looked just like the Infor login page. They logged in and that is how the hacker got the credentials. The hacker then went and changed the bank R/T and Account and her check was deposited in the hackers account. We are in the process of implementing Two Factor Authentication, but have not worked out all of the issues. We are on version 10.0.9 environment and 10.0.7 application. The Two Factor Authentication works when they log into Employee Space, but the hacker can get the URL directly to the page and log in that way without going through Two Factor. Trying to figure out how to resolve that. Good Luck
[/quote]

JWN

Posts: 3

10/30/2018 12:56 AM

[quote]
Posted By Alex Tsekhansky on 04/30/2018 10:51 PM
Some of our clients (cannot disclose the names for obvious reasons) had this issue as well. Some attacks were quite elaborate, including setting up a fake site that had some of the Lawson-like pages.
Most of the elaborate attacks originated outside US. So, geolocation (rejecting certain type of traffic originating outside US), curtailing outside (non-VPN) access to some of the Lawson functions and implementing two-factor authentication would be the ways to control this issue.
Two-factor authentication probably would be the most efficient way, though implementing it in an organization with say, 20,000+ people would take time. Also make sure that two-factor authentication is implemented directly in the Lawson environment to avoid the situation described by Jim above. There are discussions about it on this forum. The easiest ways include custom LDAP BIND, or built-in feature of ADFS.

[/quote]

JWN

Posts: 3

10/30/2018 12:57 AM

[quote]
Posted By TheDude on 04/30/2018 9:45 AM

Hello,

We've been experiencing a wave of ACH fraud via email lately. Our employees receive a fraudulent email, accidently click on the link (even after being instructed to not do so), the hacker somehow obtains there login info. and makes ACH changes via ESS. We're currently still on Ver9 and I've confirmed with Infor there is no additional audit trail aside of PR212 or querying data from EMACHDEPST. Ideally, if the employee would simply not acknowledge the fraudulent email, we wouldn't be experiencing this issue. It's very difficult trying to determine a pattern of some sort within the data, aside of specific referenced banks in these scenarios. We're looking into implementing a possible additional layer of security with extra authentication of some sort. I'm just curious if anyone has experienced ESS fraud similar to this or has any possible suggestions? Thanks for any input.

[/quote]

Paul Mockenhaupt

New Member

Posts: 1

10/30/2018 12:08 PM

Hello,

There is a product available called PerimeterMFA that makes these types of phishing attacks simply go away.

It provides multi-factor authentication for your Infor system - both on-prem installs as well as inside Infor Cloud Suite. It installs in as little as 15 minutes, is completely self-contained, and requires zero modifications to your system of infrastructure.

If anyone is interested in learning more, check out https://mockenhaupt.com or shoot me an email at paul@mockenhaupt.com.

Thanks.

-Paul

Todd Mitchell

Veteran Member

Posts: 87

10/30/2018 12:15 PM

We have avoided that issue by:

Creating reports of ACH changes that show what has changed and to determine if the same account is used for more than 1 employee
Employ 2 Factor Authentication

Joe O'Toole

Veteran Member

Posts: 314

11/1/2018 1:28 PM

We were thinking of writing a SQL process to identify changes but found that Infor delivers some canned ProcessFlows to send email notifications about critical changes in EMSS including ACH changes. The steps to enable these are outlined in the EMSS user guide. Has anyone implemented these flows and if so were there any problems or customizations required? Thanks.

Margie Gyurisin

Veteran Member

Posts: 538

11/1/2018 2:46 PM

We use the flows. It is modified somewhat. Our payroll depts. and the employee is notified.

Todd Mitchell

Veteran Member

Posts: 87

11/1/2018 2:56 PM

Are these flows for Lawson Process Flow of for Infor Process Automation? I have never used one of Lawson's canned flows, where do I find those?