FAYETTEVILLE -- The University of Arkansas for Medical Sciences lost more than $65,000 in salary overpayments earlier this year after nine employees fell prey to a phishing scam, auditors said Thursday.
RELATED ARTICLES
http://www.arkansas…">UA dean a Georgia finalist http://www.arkansas…">UA trustees listen to $20M plan for more recreation sites http://www.arkansas…">UA to rid registration system of ISIS name
The academic medical center is working to correct the system failures in several ways, including picking out software that will help with identity theft issues, said Rhonda Jorden, the UAMS vice chancellor for information technology and chief information officer.
The new software will be similar to what is used in online banking systems, she said.
"It's bigger than just the payroll deck," said Jacob Flournoy, director of the University of Arkansas System's Internal Audit Department. "UAMS and its treasury function has about $1 billion go through [there], and most of it is electronic funds transfers. [They are] trying to come in and get wire transfers.
"What I've been told is it was an international scheme. Once we get into international schemes, we're at a pretty high risk. This is not some teenager working at home. This is a sophisticated group of individuals coming at us."
Phishing scams are online attempts at stealing sensitive information by someone pretending to be a trustworthy entity.
The phishing email, which was sent to nearly 300 UAMS employees, was reported to the academic medical center's information technology help desk at 11:40 a.m. June 6. The email carrying the subject line "New Salary Starting June 2015" had a UAMS logo at the top, along with a copyright sign on the bottom.
It said the employees were eligible for a salary increase and asked the email recipients to "Login below with your credentials to read your salary raise letter." The email was signed, "Faithfully, Human Resources."
In about 30 minutes, UAMS' information-technology security workers blocked the link provided in the email and prevented it from being distributed to any other employees, according to UA System documents. The email was then deleted from the UAMS server, but the security workers could not stop employees from accessing the link on a personal computer or mobile device.
UAMS determined that nine employees had accessed the link through personal computers or using mobile devices after those employees noticed they were not paid during the June 30 pay cycle. The attackers used the employees' credentials to access their login names, passwords, Social Security numbers, employee identification numbers and bank account numbers, documents show.
In total, UAMS was set to lose $148,117.03 from the international scammers but was able to recover payroll funds fully from five accounts and partially from another account. After the recovery effort, UAMS lost $65,403.60, documents show.
UAMS servers were hit with a handful of other phishing attempts in the meantime. UAMS police have turned the case over to the FBI, UAMS spokesman Leslie Taylor said.
Deb Green, a spokesman for the FBI's Little Rock field office, did not return a message late Thursday.
Phishing schemes usually are periodic, but they've gotten more and more sophisticated, said Bill Bowes, UAMS' vice chancellor for finance and chief financial officer. The scheme was tracked to a Polish network, documents show.
"Maybe with the underground nature of the people doing this, once one person or one group finds UAMS lacks controls, it goes to multiple groups around the world," UA System Trustee Jim von Gremp said. "So this [month], it could be one attempt. Months from now, it could be five attempts."
UAMS officials said during a UA System board meeting Thursday that they are working on procedures to prevent identity theft.
Officials are now selecting a software vendor for online protection, Jorden said, adding that she expected it to cost about $700,000. She is expecting it to be in place by July 1. They are reviewing and enhancing their incident response plan to online defrauding attempts.
The academic medical center also has drafted a policy that would make the employee who fell prey to a phishing scam responsible for any financial loss. UAMS is hoping to have that in place by the end of the year.
Metro on 11/20/2015