Digital fraudsters target company payrolls for the same reason the notorious bank robber Willie Sutton robbed banks – “because that’s where the money is”. While payroll – the people who pay it, the people who process it and the people who receive – have long been the target of various schemes and frauds, today, we are witnessing a marked increase in a particular type of scheme that we would like to call attention to. This type of fraud leverages malware that harvests and steals passwords in order to send requests for changes to the person’s direct deposit bank account. The scheme has been startlingly effective and yet the remedy to counteract it is fairly straightforward. It requires however, a change in the way many of us have come to operate and continued vigilance on the part of payroll administrators and HR managers.
Here is how it works: The thief hacks into a person’s email (through any variety of means which we won’t go in to here), reviews the employee’s emails and through that, learns where the person works and who the person is who pays them. With that information, the hacker can then simply send a request from the compromised email account requesting a change to their bank account information. Of course, the new bank account information is the fraudster’s account (typically a “burner” debit card). A careful hacker will then delete the email from the Send folder. Note that this request for a change of banking information that the payroll administrator receives comes from a legitimate, known email address. No one knows anything is wrong until pay day when the hacked employee doesn’t receive her pay.
Here is what you can do: The most important thing you can do is to always independently voice verify any bank account change request (specifically calling out to the person via phone or in person). Never accept banking or financial instructions via email alone. Unfortunately today, email cannot be trusted as a verified source of instructions from anyone – even if the email address is legitimate and known to you.
Of course, some companies already do not allow such types of request to be made via email. Those companies are not vulnerable to this type of scheme. Others send notifications to employees through their internal systems any time a change is made to their personal information. This is also a protection, though not a fool proof one. The key point here is that email should never be used for conveying or following any directions relating to financial transactions. That day is now officially over.
There are many ways that payroll dollars are getting diverted by thiefs – other scams and hacks are definitely in use and businesses should always have several lines of defense to protect their data, secure all user credentials, scan its IT environment and protect against social engineering attempts. We simply want to send the alert out about a particularly effective scheme and offer a – voice verification – that can thwart it.