Advisory: College Payroll Theft Scheme

Universities and colleges in Michigan have been targeted by spearphishing (targeted emails) campaigns designed to steal user credentials.   In August of 2013 a University of Michigan employee had their direct deposit information altered following a successful phishing attack.  A similar successful attack occurred in December of 2013 with a University of Western Michigan employee.  Many of these campaigns have used harvested credentials to alter victim’s direct deposit information.

During these attacks, the phishing e-mails have contained official institutional images, spoofed sender e-mail address (such as, and often use subjects related to salary increases to lure victims into clicking on malicious links. Subject lines have included:

-Your Salary Review Documents

-Important Salary Notification

-Your Salary Raise Confirmation

-connection from unexpected IP

-RE: Mailbox has exceeded its storage limit.

A raise sounds good, right?  The malicious links contained in these e-mails direct victims to fake webpages controlled by the attackers that look nearly identical to their university’s legitimate login portals, such as Once the user provides their login credentials, the credentials are commonly used by the attackers to access the victim’s payroll information and re-route direct deposits to a bank account controlled by the attacker.

How do you prevent the attack?  Users should be cautious when accessing e-mail and never send account information to others.  Do you know the sender?  If not, don’t click on the embedded links, and forward the email to the LCC help desk at  In addition, users should use caution and double-check the URL using the ‘hover method.’  This means to move your mouse pointer over the email embedded link without clicking and the true address of the link will appear.  Does the link for MyLCC begin with:… If not, you are being sent to a malicious web site!

If you have any questions or need further info, please contact the LCC ITS division, Director of Information Security, Mr Paul H. Schwartz,