No matter how much you love your job, very few people work for free. About 80% of Americans receive their paychecks via direct deposit, but if a hacker manages to reroute your paycheck to his or her account, is that just tough luck and you don’t get paid? That’s basically what a faculty member at Western Michigan University (WMU) was told.
Ray Cool is an assistant professor for WMU Physical Education Teacher Education. In December, his GO WMU account was hacked and his $1,581 direct deposit paycheck was rerouted to a bank in Utah. MLive reported that “the crime was traced to a computer in New Mexico,” but WMU authorities were only able to recover $11.08 of his paycheck and “told Cool that they will not reimburse him for the amount that was stolen.”
On Dec. 20, WMU issued him a paycheck advance, Cool said, which he is paying back in four installments. However, he said he believes the university should reimburse him for his loss, since it was its system that was hacked. Cool said he filed a grievance last week with the Michigan Department of Licensing and Regulatory Affairs.
"I'm unbelievably frustrated right now," he said. "It's got to the point right now, it's not the money, it's the principle."
February 1 was change your password day, but a new password wouldn’t have helped in the WMU case. Although GO WMU now has a “Don't fall for Phishing!” message on the login page, each user of the system basically has one password to rule everything connected to their account. A Bronco NetID is a WMU “username for all major systems,” from email to student and employee info including “accessing financial account information.” When coupled with a password, the Bronco NetID “is used for all official WMU communication and access to online services offered through the GoWMU portal.”
Last fall after "two separate incidents of WMU employees having their paychecks stolen electronically," the university "instituted a process so that, whenever someone goes into their account and changes financial information, such as a routing number, they immediately get an email asking if that is a legitimate change." According to Cheryl Roland, executive director of university relations, "We know that happened in this case [theft of Cool’s paycheck]."
Yet Cool said he was teaching a class and “never saw the email warning him his routing number had changed. The hackers remained in Cool's account for approximately 40 minutes, Cool said detectives told him. WMU's information technology department later retrieved the email from his trash.” Cool added, "If the hackers are this smart that they can go in there, wait and delete the email, you would have to be watching your computer almost continuously."
Traditionally, if you are robbed via your bank, the Federal Deposit Insurance Corporation (FDIC) insures each depositor “to at least $250,000 per insured bank.” In Cool’s case, WMU isn’t taking responsibility for its system being hacked since Cool apparently fell for a phishing scam. Yet if a hacker did manage to access a university account, then sending an email to a compromised account to verify changes to financial info seems like an example of poor security practices. Having one password to rule everything may also be inadequate, even though that’s what many universities do.
In fact, WMU is just “one of several universities victimized by phishers recently;” the FBI is reportedly investigating all the cases. Also in December, 10 Boston University employees had their direct deposit paychecks stolen after cyber criminals used phishing emails to obtain the workers’ usernames and passwords and then changed their direct deposit information.
According to Quinn Shamblin, BU executive director of information security, “Suspicious internet protocol (IP) addresses gained access to the Kerberos accounts of 78 employees last month, but they apparently breached only 10 Employee Self-Service (ESS) accounts, which contain direct deposit bank information.” Although the “University is investigating whether the remaining 68 were compromised,” Shamblin said, “We have no indication at this time that sensitive information for this population was accessed.”
It’s not only universities suffering such thefts. Regarding electronic bank deposits, the Inspector General for the Social Security Administration (SSA) warned that fraudsters were using “phone calls, emails, and other methods to obtain personal information, then use it to commit identity theft.” The scammers were using the personal info to open a ‘my Social Security’ account and then stealing Social Security beneficiaries’ payments by rerouting them into their own accounts or debit cards. AARP reported that “between October 2011 and June 2013, an astounding $28 million in benefit payments have been stolen.”
Regarding Cool, WMU’s Roland claimed the “university doesn't have a written policy in place governing such cybercrimes.” She added, "This is a very new area. There are institutions across the country that have had a few incidents that set the precedent. It's something we are still looking at, and looking at all our processes as well to see if there's more we need to do." Although Cool fell for a phishing scam, it seems like WMU should have to reimburse him for the stolen direct deposit paycheck . . . not basically say tough luck and kiss the $1500 bye-bye. It was their system accessed after all.
What do you think? If a cybercrook rerouted your direct deposit paycheck, wouldn’t you still want your hard-earned dollars?
Phishing scams are as old as the Internet, but they are not all broken English emails and poorly designed sites asking for people to re-enter personal and financial data. Spoofed sites can appear legit. Don’t enter your info. It may be a pain, but call first to verify that company is asking for you to re-enter your personal and/or financial info. In light of the Target, Neiman Marcus and Michaels breaches, there’s millions upon millions of people vulnerable to identity theft and financial fraud crimes. Be careful out there.