The ridiculous cybersecurity and slow bureaucracy within the U. S. Postal ServiceThe U. S. has left many mail carriers, handlers and service workers victims of a complex direct deposit formula that has left them without pay and angry that the federal government has ignored several warnings.
Station bosses downplayed the incident, telling USA TODAY they were first notified in December of “unusual login activity involving a limited number of employees. “
In reality, cybercriminals for months lured workers for their payroll formula with a mirrored image online page that allegedly tricked many workers into offering their usernames and passwords. The bad actors then used this data to log into the actual formula and redirect workers’ paychecks. .
That has left workers like Atlanta postmaster Joe Hoagland in severe cash shortages.
When the paychecks stopped, Hoagland first thought his credit union had made a mistake. Then, his proof of payment revealed that $900 had been embezzled. When his manager after all told him there had been a protection problem, Hoagland was furious.
“I am the main breadwinner of my family; it’s not $200, it’s $900 in my check,” Hoagland said. “They had known for weeks and delayed telling us. “
Unions representing the post office helped relay data and advocate for the strengthening of PostalEASE’s human resources system.
The American Postal Workers Union says at least 460 of its members have lost at least one direct deposit, totaling about $1 million. Approximately a portion of this cash was recovered through the banks that voluntarily returned the cash.
Michael Martel, a spokesman for the U. S. Postal Inspector, said he may simply not speak about the ongoing investigation. However, he noted that “the U. S. Postal Inspection Service. “The U. S. has partnerships around the world with the Postal Service and the American public. “
“Anyone who engages in such conduct will need to know that it will not go unnoticed and that it will be held accountable, wherever it is,” he said.
The culprits may never be caught. Experts say that historically diverted money is temporarily transferred to other financial networks, abroad or to cryptocurrencies, making it difficult for the judicial formula to fit their needs.
The union said one worker said the postal service tried to divert the cash and issued them a check for what was left in the fraudulent account: $1. 78. Another worker didn’t realize the challenge until all of his automatic invoices bounced, resulting in a $500 bank fee. .
Charlie Cash, the union’s director of business relations, said the postal service has taken the position that the establishment has done nothing and is therefore not guilty.
“We don’t agree at all,” Cash said. A lot of those middle-class employees pay paycheck to paycheck, and that happened just before Christmas. “
Cash pointed to warnings dating back to a 2013 OIG audit of vulnerabilities in the HR formula that left it open to unauthorized access. National Arbitrator.
A union member also alerted the Postal Service in March 2022 about a series of fake human resources websites that made workers vulnerable, according to emails provided to USA TODAY. He was told to email spam@uspis. passv and the Postal Service investigates and sends stop and desist letters, “sites come and go with staggering frequency,” an unsigned email from the U. S. Postal Inspection Service responded. U. S.
The Postal Service rejected a Freedom of Information Act request from USA TODAY for stop and desist letters, trotting up industry secrets. USA TODAY appealed the decision.
The postal service’s official line is that it notified workers, monitored their compromised accounts, tried to redirect their cash and purchased a year of credit tracking for them. He also said he warned all workers about cybercriminals.
Postal Service Public Affairs declined USA TODAY’s requests for an interview to answer questions about the reasons and extent of the disorders and adjustments that followed.
However, in mid-January, Swiss Post implemented its first multi-factor authentication procedure for the HR site. This type of login may have prevented many unauthorized account changes, as it forces the user to verify their identity through a device for the time being. , like a smartphone.
National cybersecurity experts say multi-factor authentication is the minimum organizations implement to protect direct deposit systems. Some have called operating without it “poor security practice. “
Kevin Gosschalk, founder and chief executive of cybersecurity company Arkose Labs, said such attacks are “tragically common. “He pointed to FBI reports showing that fraud and cable embezzlement accounted for $2. 7 billion in losses in the U. S. Last year.
“It’s low risk and high return,” he said, “in part because the monetary mechanisms of cord transfers mean it’s incredibly difficult to carry out. “
Employees never stick to a link in an email or text message or look for results to get to a sensitive site, Mavens said. Instead, they have to bookmark their site or enter a URL manually to avoid similar sites.
Employers also exercise workers to stumble upon phishing, they said, and implement multi-factor authentication and passwordless authentication, add biometrics and load “multi-layered controls” that can stumble upon phishing and interceptions from “adversaries in the middle. “Gosschalk said. These man-in-the-middle scams are a component of attempts to pass multi-factor authentication through status between user and entity and capture credentials and cookies to access them.
More: ‘Beat the bad guys’: How a vigilant Ohio aunt ended an identity theft scheme
For Joe Hoagland, he had to navigate a chain phone, voicemails, emails and in-person visits with his manager to get to the bottom of the mess of his paychecks, which were regularly automatically deposited into his checking account. He won a paper refund checks two months late.
By then, the Postal Service had known the diverted destination of its cash as a pickpocket bank in Fargo, North Dakota. As in other cases, the courier requested the refund.
Choice Bank CEO Brian Johnson showed USA TODAY that the bank is being used by scammers. He said the bank had frozen the accounts and began the procedure of returning the lost money.
Hoagland’s payroll issue was resolved in March, but his identity theft issues would likely only be just beginning. Recently, he received notices that credit card programs were being canceled for cards he had never applied for.
Hoagland blames himself for being deceived, saying he also establishes duty between his employers and the bad actors who attack him.
“I’m a realist; I know there are thieves out there,” Hoagland said. “You just have to be alone and realize that (the threat) is never going to go away. “
Nick Penzenstadler is a reporter on USA TODAY’s investigative team. Contact him at npenz@usatoday. com or @npenzenstadler, or at Signal at (720) 507-5273.