Paltry cybersecurity and slow-moving bureaucracy at the U.S. Postal Service meant hundreds of mail carriers, handlers and service clerks fell victim to a complex direct deposit scheme that left them without pay and angry that the federal government had failed to heed multiple warnings.
Postal leaders downplayed the incident, telling USA TODAY in a statement that they first were notified in December about an “unusual log-in activity involving a limited number of employees.”
In reality, cybercriminals had for months lured employees searching for their payroll system with a mirror-image-like website that reportedly tricked hundreds of employees into providing their usernames and passwords. The bad actors then used that information to sign in to the real system and reroute employees’ paychecks.
That left employees like Atlanta mail handler Joe Hoagland in a serious pinch for cash.
When the paychecks stopped, Hoagland initially figured his credit union had screwed up. Then his paystub revealed $900 had been siphoned off. When his supervisor finally told him there had been a security problem, Hoagland was furious.
“I’m the primary breadwinner in my family; this isn’t 200 bucks, this is $900 out of my check,” Hoagland said. “They knew about it for weeks and dragged their feet on telling us.”
Unions pushing for answers and fixes
Unions representing postal workers helped relay information and advocate for shoring up the PostalEASE human resources system.
The American Postal Workers Union says at least 460 of its members lost at least one direct deposit, for a total of about $1 million. About half of that money has been recovered by banks voluntarily returning the money.
Michael Martel, spokesman for the U.S. Postal Inspector, said he could not discuss the ongoing investigation. However, he noted that “the U.S. Postal Inspection Service has partnerships across the globe to protect the Postal Service and the American public.”
“Anyone who engages in such conduct should know they will not go undetected, and they will be held accountable, no matter where they are located,” he said.
The culprits may never be caught. Experts say siphoned money is traditionally moved quickly through other financial networks, offshore or into cryptocurrency, which makes it hard for the justice system to follow the trail.
The union said one employee says the Postal Service tried to claw back wrongly routed money and issued them a check for what remained in the fraudulent account: $1.78. Another employee didn’t notice the problem until all of her automatic payments bounced, which resulted in $500 in bank fees.
Charlie Cash, the union’s industrial relations director, said the Postal Service has taken the position that the institution did nothing wrong and therefore is not culpable.
“We completely disagree,” Cash said. “A lot of these workers in the middle class live paycheck to paycheck, and this happened just before Christmas.”
Cash pointed to warnings dating back to a 2013 audit from the Office of Inspector General about vulnerabilities in the HR system that left it open to unauthorized access. Cash and the postal workers union have filed a grievance known as a national dispute and he said the union is considering escalating the complaint to a national arbitrator.
A union member also alerted the Postal Service in March 2022 to the series of fake HR websites that left employees vulnerable, according to emails provided to USA TODAY. He was told to send an email to [email protected] and, although the Postal Service investigates and sends cease and desist letters, “the sites come and go with astonishing frequency,” an unsigned email from the U.S. Postal Inspection Service responded.
The Postal Service denied a Freedom of Information Act request from USA TODAY for the cease and desist letters, citing commercial trade secrets. USA TODAY has appealed the ruling.
Postal Service sympathetic but says it’s not responsible
The official line from the Postal Service is that it notified employees, monitored their compromised accounts, tried to recover their rerouted money and purchased a year of credit monitoring for them. It also said it warned all employees about cybercriminals.
Public affairs staff at the Postal Service declined requests from USA TODAY for an interview to answer questions about the causes and scope of the problems and the changes that followed.
In mid-January, however, the Postal Service rolled out its first multifactor authentication process for access to the HR site. That type of sign-in could have prevented many of the unauthorized account changes because it requires a user to confirm their identity via a second device, such as a smartphone.
National cybersecurity experts say multifactor authentication is the bare minimum organizations should deploy to safeguard direct deposit systems. Some called operating without it “security malpractice.”
Kevin Gosschalk, founder and CEO of cybersecurity firm Arkose Labs, said such attacks are “tragically common.” He pointed to FBI reports that showed wire fraud and diversion accounted for $2.7 billion in losses across the U.S. last year.
“It’s low-risk and high-reward,” he said, “in part because the financial mechanics of wire transfers mean it’s extraordinarily difficult to unwind.”
How can you avoid payroll diversion scams?
Employees should never follow a link in an email or a text or search result to access a sensitive site, experts said. Instead, they should bookmark their site or enter a URL manually to avoid look-alike sites.
Employers also should train employees to detect phishing, they said, and implement multifactor authentication and passwordless authentication including biometrics, and add “multilayered controls” that can detect phishing and “adversary in the middle” interceptions, Gosschalk said. Those middleman scams are part of attempts to get around multifactor authentication by standing between the user and entity and capturing credentials and cookies to gain access.
More:‘Beating the bad guys’: How one vigilante aunt in Ohio took down an identity theft scheme
For Joe Hoagland, it took navigating a phone tree, voicemails, emails and in-person visits with his supervisor to untangle the mess of his paychecks, which typically had been automatically deposited in his checking account. He received paper reimbursement checks about two months late.
By then, the Postal Service had identified the rerouted destination of his money as a Choice Bank in Fargo, North Dakota. As with other cases, postal staff requested the money back.
Choice Bank CEO Brian Johnson confirmed to USA TODAY that the bank was used by the scammers. He said the bank had frozen accounts and begun the process of returning lost money.
Hoagland’s payroll problem was resolved by March, but his problems related to the identity theft may have just begun. Recently he received notices that credit card applications were being canceled for cards he had never requested.
Hoagland blames himself for being tricked but says he also splits accountability evenly between his employers and the bad actors targeting him.
“I’m a realist; I know there are scammers out there,” Hoagland said. “You just have to protect yourself and realize (the threat) is never going away.”
Nick Penzenstadler is a reporter on the USA TODAY investigations team. Contact him at [email protected] or @npenzenstadler, or on Signal at (720) 507-5273.