An internet scammer or scammers allegedly stole monthly paychecks from 10 Boston University employees last month by somehow obtaining the workers’ usernames and passwords and changing their direct deposit information.
Another 68 university employees had work-related accounts accessed by an outside device using suspicious Internet protocol addresses, but officials said they do not believe sensitive information was accessed from those workers.
Campus officials said the FBI is investigating the case along with similar cases reported recently at several other universities, according to BU’s news website, BU Today.
No suspects have been identified, said Detective Lieutenant Peter DiDomenica of the BU Police Department, which is aiding the federal investigation.
Officials did not say how much money was stolen.
Authorities said they believe the BU employees’ private log-in information was stolen through phishing, a common scamming technique in which people are lured in by fraudulent, but real- and trustworthy-looking emails, links or websites and then unsuspectingly give up personal information.
BU said it temporarily shut down its electronic payroll system on Jan. 2 after learning of the breach.
Three days later, the service was restored for all but 510 employees who had made changes to their direct deposit information in December. The university said it has notified those workers to confirm that they made those changes. Those accounts will remain disabled until the employees respond.
As required by law, BU has alerted the state Attorney General’s office and the Office of Consumer Affairs and Business Regulation, officials said.
In its notification to the state agencies, the university vowed to monitor all changes made to employee direct deposit information until authorities are confident there is no longer a threat.
The university said it is analyzing emails sent to the affected employees to try to identify any phishing messages that may be connected to the case.
Authorities said they are also working with BU and other schools with similar recent cases to try to identify suspicious IP addresses.
Quinn Shamblin, executive director of information security at the university, said the suspicious IP address that accessed the BU employee accounts were located in the US and Africa.
“It is extremely common for people engaged in this kind of criminal activity to attempt to hide their location by routing their traffic through a variety of computers between them and the intended victim,” he said. “This means that the IP addresses we detect at the far end may have nothing whatsoever to do with the actual attacker.”
Officials said any suspicious emails should be reported by forwarding the messages to firstname.lastname@example.org.
Officials warned to never provide sensitive information, including usernames or passwords, to any unsolicited requests, via email, phone, mail or other means of communication.
Shamblin also urged employees to regularly check their bank accounts when they are expecting direct deposit funds to come in.
“When the monthly notice from BU tells you your paycheck has been sent, I would recommend that you check your bank to make sure it properly arrived and notify payroll or human resources immediately if there’s any discrepancy,” he said. “The system cannot tell if the bank account information it contains is accurate. The only way we will know if there’s a problem is if you detect and report it.”