Digital fraudsters target company payrolls for the same reason the notorious bank robber Willie Sutton robbed banks – “because that’s where the money is”. While payroll – the people who pay it, the people who process it and the people who receive it – have long been the target of various schemes and frauds, today, we are witnessing a marked increase in one particular type of scheme. This type of fraud leverages malware that harvests and steals passwords in order to send requests for changes to the person’s direct deposit bank account. The scheme has been startlingly effective and yet the remedy to counteract it is fairly straightforward. It requires however, a change in the way many of us have come to operate and continued vigilance on the part of payroll administrators and HR managers.
Here is how it works: The thief hacks into a person’s email (through any variety of means which we won’t go in to here), reviews the employee’s emails and through that, learns where the person works and who the person is who pays them. With that information, the hacker can then simply send a request from the compromised email account requesting a change of bank account for direct deposit . Of course, the new bank account information is the fraudster’s account (typically a “burner” debit card). A careful hacker will then delete the email from the Send folder. Note that this request for a change of banking information that the payroll administrator receives comes from a legitimate, known email address of a legitimate, known employee. No one knows anything is wrong until pay day when the hacked employee doesn’t receive her pay.
Here is what you can do: The most important thing you can do is to always independently voice verify any bank account change request (specifically calling out to the person via phone or in person). Never accept banking or financial instructions via email alone. Unfortunately today, email cannot be trusted as a verified source of instructions from anyone – even if the email address is legitimate and known to you.
Of course, some companies already do not allow such types of request to be made via email. Those companies are not vulnerable to this type of scheme. Others send notifications to employees through their internal systems any time a change is made to their personal information. This is also a protection, though not a fool proof one. The key point here is that email should never be used for conveying or following any directions relating to financial transactions. That day is now officially over.
There are many ways that payroll dollars are getting diverted by thiefs – other scams and hacks are currently in use as well. Businesses should always have several lines of defense to protect their data, secure all user credentials, scan its IT environment and protect against social engineering attempts. We simply want to send the alert out about a particularly effective scheme and offer a simple solutino – voice verification – that can thwart it.