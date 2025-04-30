The FBI is warning the public that cyber criminals are targeting users of employee self-service websites owned by companies and government services. The cyber criminals are using search engine advertisements to impersonate legitimate websites and steal victim information and funds.

Cyber criminals use fraudulent search engine advertisements to direct users to malicious websites that mimic the legitimate sites in appearance, but steal login credentials and other financial information when the victim logs in. Previously, cyber criminals primarily targeted small business commercial bank accounts in account takeover schemes, but have expanded to target payroll, unemployment programs, and health savings accounts with the goal of stealing money through fraudulent wire transactions or redirecting payments.

Methodology Cyber criminals use advertisements that imitate legitimate companies to misdirect targets conducting an internet search for a specific website. The fraudulent URL appears at the top of search results and mimics the legitimate business URL with minimal differences, such as a minor misspelling. When targets click on the fraudulent advertisement link, they are redirected to a phishing website that closely mirrors the legitimate website. When the target enters login credentials, the cyber criminal intercepts the credentials. Cyber criminals use captured credentials to gain full access to the victim’s legitimate account and may use social engineering tactics to obtain the victim’s token, if multi-factor authentication is enabled. One social engineering tactic involves masquerading as a bank representative while calling the victim and asking for their one-time passcode. The phishing site may also prompt the victim to enter their multifactor token. If a bank account is compromised, cyber criminals can transfer money from the accounts. If an employee payroll account, unemployment account, health savings account, or retirement account is accessed, the cyber criminal can change the direct deposit information and redirect future payments. If cyber criminals gain access to victim personally identifiable information ( PII ), they can also create new accounts that defraud victims. One indicator that cyber criminals have compromised a victim’s financial account is the receipt of thousands of spam emails within a short period of time. Cyber criminals use spam emails to prevent the victim from noticing a legitimate organization’s notification of account compromise