Main menu

Pages

USPS beefs up online security after fraudsters steal employee paychecks

featured image

The Postal Service is strengthening its online security measures in response to fraudsters targeting USPS employees’ financial information.

The USPS, in a memo to its workforce on Tuesday, warned that cybercriminals are targeting USPS employees by creating fake websites that closely resemble LiteBlue, the agency’s employee online portal.

Postal unions are warning members that fraudsters are using these spoofed websites to obtain USPS employees’ login credentials and redirect direct deposit paychecks to their own…

SEE MORE INFORMATION

The Postal Service is strengthening its online security measures in response to fraudsters targeting USPS employees’ financial information.

The USPS, in a memo to its workforce on Tuesday, warned that cybercriminals are targeting USPS employees by creating fake websites that closely resemble LiteBlue, the agency’s employee online portal.

Postal unions are warning members that fraudsters are using these spoofed websites to obtain USPS employees’ login credentials and redirect direct deposit paychecks to their own bank accounts.

LiteBlue allows employees to access their paycheck information, access their federal employee health benefits (FEHB), access their savings savings plan, and contact USPS human resources.

The USPS told officials in this week’s memo that it switched LiteBlue to multi-factor authentication (MFA) on Jan. 15.

The USPS will require employees logging into LiteBlue to reset their passwords, verify the last four digits of their Social Security number, and configure their Multi-Factor Authentication preferences.

Once activated, the USPS will require employees to enter an MFA code before accessing their online accounts.

The USPS said in a statement that it is “continuing to take precautionary measures to prevent further unauthorized activity.” The agency said it has notified affected employees and is purchasing a year-long credit monitoring service for them.

The USPS said LiteBlue and PostalEASE, the self-service application obtained through LiteBlue for employment-related services, were not compromised.

According to the USPS, its Office of the Inspector General notified the Postal Inspection Service and the USPS Office of Corporate Information Security of “unusual login activity involving a limited number of employee accounts on the PostalEASE system of the Postal Service.”

“A limited number of employees reported unusual activity involving their PostalEASE accounts, which were attributed to prior interaction with the fake LiteBlue websites,” the agency said.

The American Postal Workers Union said Friday that the union “continues to defend members who had their wages stolen in the recent online fraud attack on USPS systems.”

“Management provided an update on the implementation of MFA for logging into LiteBlue after cybercriminals gained access to sensitive employee data using fake websites that closely resembled LiteBlue,” the APWU wrote. “Fraudsters used this information to make changes to net-to-bank and allocation accounts to divert and steal direct deposit funds.”

The fraudsters appear to have been targeting USPS employees for about a month.

The National Association of Letter Carriers, in a Dec. 21 post on its website, said the USPS confirmed that some employees unknowingly provided their usernames and passwords to criminal websites when trying to access PostalEASE.

The NALC said that approximately 119 USPS employees attempted to access PostalEASE through a Google search rather than entering the web address directly into their browser.

“Google’s routers redirected their searches to criminal third-party websites that mirror PostalEASE’s appearance and access. Unfortunately, your login credentials were hacked and some accounts were compromised,” the NALC wrote.

The NALC is asking its members whose credentials have been compromised to notify the union on its website, in order for the NALC to report the scope of the issue to the USPS.

“Specific banking industry standards require financial institutions to provide relief in certain situations. However, several third-party sites were criminal scams, and most likely, some of the lost money will not be returned. The USPS does not have the dollar loss total currently available. The USPS states that responsibility for hacking, bank account breaches and loss of money remains with Google,” the NALC wrote.

A previous USPS memo, dated December 30, 2022, also warned officials about a fraud scheme by cyber criminals using a fake version of the LiteBlue website.

“When you try to log in to a fake website, scammers collect your username and password. Scammers can record this information and use it to enter PostalEASE,” the memo states. “There, scammers can access your sensitive data, which they can manipulate for financial gain.”

The USPS in the memo said its Net to Bank and Allotment direct deposit functionalities have been disabled online in the PostalEASE application.

The Dec. 30 memo also said the USPS had temporarily suspended external access to PostalEASE via a personal computer “until further notice.”

USPS employees during this period can still cancel allocations or enable or change their direct deposit settings by phone by calling the USPS Human Resources Shared Services Center (877-477-3273).

The agency said employees making these changes over the phone need to have their employee identification number (EIN) and personal identification number (PIN).

Comments