Phishing tactics have become more sophisticated over the years and often one tactic feeds into another one.

For example, a scam email to gain access to your email credentials, may then allow a fraudster to send your HR Department a legitimate looking email asking them to change the account for your paycheck’s direct deposit .

At the same time, the scammer could be sending out tons of phishing emails to your coworkers and other contacts from your email to get them to click open a phishing link, that they’ll be much more likely to trust because it’s coming from someone they know. Internal emails also tend to have an easier time getting past business cybersecurity defenses. 

This tactic is referred to as Business Email Compromise (BEC), and according to the FBI, it’s a $26 billionscam and has been reported in all 50 U.S. states and 177 countries. 

Phishing attacks that employ BEC can wreak all types of havoc, including planting ransomware on a network and gaining access to critical company files. But perhaps the most personal type of attack is one that steals employee paychecks.

The cost of payroll diversion scams increased over 815% between January 1, 2018 and June 30, 2019.

Payroll diversion scams have been on the FBI’s radar for a while. They were responsible for total reported losses of over $8.3 million between January 1, 2018 and June 30, 2019. 

We’ll explain how this scam works next and how your HR team can help prevent falling victim to it. 

Tactics Used for the Payroll/Direct Deposit Scam

The payroll direct deposit scam is generally al two-step process. The first step targets users with phishing emails designed to steal their email login credentials. 

These can look like SharePoint file sharing requests that take you to a spoofed Microsoft Office 365 login page or can be a fake warning pretending to be from your web/email hosting company saying there’s been a compromise and you need to log in to change your password.

The goal of step one is to gain access to employee email credentials so the hackers can send emails as you from your email account. 

Step two targets your HR or accounting department, whichever is responsible for employee direct deposit paperwork. The email will ask how to change their direct deposit account and it will appear legitimate because it’s coming from the employee’s hacked email account.

Most offices will honor the request and send the employee information or an online link that allows them to change their direct deposit bank account. Often it can be one or two payrolls before the employee asks where their paycheck is, and by that time the company is out a lot of money.

The average dollar loss per each complaint is $7,904, which is a significant amount for any company to divert when it comes to the pay employees are counting on. 

There’s been a disturbing upward trend in payroll diversion using BEC, with incidents spiking significantly at the end of 2018 and throughout 2019, as illustrated in the FBI graph below. It remains a major threat for companies to watch out for in 2020. 

Ways to Protect Your Company from the Direct Deposit Scam

The direct deposit scam hurts both employees and their companies. The employee can be without their paycheck for several weeks, during the time the scam is discovered, and replacement payroll can be issued. The company then ultimately bears the cost of the mis-diverted funds.

Protecting your company from falling victim to this scam takes a multi-layered approach, as do most good cybersecurity policies. Here are suggested tactics to employ to stop this scam from hurting your business and employees.

Use Secondary Factors of Authentication for Change Requests

Using another way to verify that a direct deposit change request is legitimate can help you stop it in its tracks. This could be a simple phone call or face-to-face with an employee to ensure they in fact made the payroll change request.  

Making this secondary factor a security policy and including it in your manuals for those handling direct deposit administration will help make sure it’s done every time as a standard practice. 

Train Employees on Phishing Awareness

While fake direct deposit requests can be sent from fake emails, they’re much more likely to succeed when sent from an employee’s legitimate email address. Scammers know this, which is why compromising a business email account is usually the first step in the process.

This compromise is done via phishing tactics, so regular ongoing training for your employees on how to spot phishing and what to do if they spot a questionable email can go a long ways towards stopping the scam at step one.

Employ Anti-Phishing and Spam Protections

Using security apps with advanced threat protection can help keep dangerous phishing emails from getting into user inboxes, or at the very least block most of them. Employ apps that can backstop your users, including those with web protection that will immediately alert them of a fake login page before they enter their credentials.

Schedule a Security Audit Today to Ensure You’re Prepared

A security audit from BrainStomp will review the cybersecurity policies that you have in place, let you know of any potential vulnerabilities, and suggest fixes to make sure your business is protected from scammers, data breaches, and other online threats.

Schedule a free security consultation today! Call 260-918-3548 or reach out online.