Criminals are always devising new ways to defraud the unsuspecting.
The FBI has recently noted a startling increase in new payroll and direct deposit phishing scams. The latest transfer schemes are deceptively simple and have gotten past proficient IT departments, sophisticated email filters, and seasoned employees alike. Don’t fall prey. Learn how the latest schemes work, how to protect your employees and business, and what to do should a scammer strike.
How the Payroll Direct Deposit Scams Work
The newest round of payroll scams attacking businesses in the United States operates with the intent to defraud individual employees. The online thieves don’t rely on hacking or sophisticated technology, either: they simply glean company contact and hierarchy information online to narrow in on their targets. The cons create phony email accounts under the names of company officials, usually executives, supervisors, or human resources personnel. Often, the emails appear to be from the company, but they are fake email accounts created anonymously using free, internet-based tools such as Gmail, Yahoo! Mail, or AOL.
In a typical scenario, an “executive” emails a human resources employee and asks them to update another worker’s direct deposit bank routing number. Often, the imposter mentions that the request is urgent and that they will be unavailable soon:
I need you to update Richard Jones’s bank routing number to [thief’s account number]? Headed to mtg. Can’t talk but do it soon plz. — Abe
To gain trust, there may be several of the phishing emails. The thief might start casually with one of many fake emails before getting specific with their request:
Got a sec? I need your help. — Abe
Once the employee replies, the schemer has a trusting and engaged target. As soon as the employee completes the request, the scammer quickly uses wire transfer to move the paycheck to his own untraceable, offshore bank account. It’s not until an employee doesn’t receive his or her paycheck that the deception is detected. It can take several paycheck cycles to pinpoint what happened. Meanwhile, the targeted employee is without an entire paycheck and will likely have the reasonable expectation that their employer will make them whole.
These schemes are simple, which is why they work. The internet criminals behind them rely on many successful, smaller cons to make their money. They rake in thousands—rather than millions—of dollars at a time to avoid detection.
Often, HR and accounting employees fall for payroll direct deposit phishing scams because the requests:
- Seem innocuous
- Come from a superior
- Arrive at a busy time of day
- Are time-sensitive
- Appear legitimate
Protect Your Business and Employees
- Inform Employees
Send communications about payroll phishing scams and their characteristics, including:
- Casual tone, direct message
- Some typos or awkward phrasing
- From a personal email account but gives the appearance of being from a company account
- Requests for wire transfer, bank account information, or anything involving external financial institutions
- Requestor is unavailable imminently
- Strengthen Email Security
Work with your IT department to develop stronger email filters to flag urgent emails concerning payroll, bank account information, or direct deposit transfer updates, especially if the email is from a new and unrecognized account.
- Reinforce Protocol for Payroll Updates
Provide employees with step-by-step instructions for how payroll information is updated. Do not allow payroll changes to be made over the phone or by email. No single employee should be responsible for complying with payroll-related changes; have an approval process in place.
- Keep contact and company infrastructure information private.
Keep flow charts, phone trees, email addresses, and other hierarchical information on your Intranet.
- Remind employees that email is not secure.
Social security numbers, direct deposit, bank account routing numbers, birthdates, or any other personally identifying information should never be shared over email.
What Should You Do If Your Company Is Targeted?
Transfer scams are a serious internet crime. If your business is targeted, do the following:
- Contact impacted financial institutions immediately
- File a complaint with the FBI’s Crime Complaint Center (IC3) ic3.gov.
- Inform staff about phishing scams, including what to look for and whom to notify.
Awareness, education, and action are your best defenses against email fraud.
If you would like more information, or if you need guidance creating a safe payroll approval process, please contact the professionals at The HR Team. We’ve been delivering a full spectrum of value-driven HR solutions for more than 20 years, and we would be honored to help your organization, too.
About The HR Team: Founded in 1996, The HR Team is a Maryland-based human resources outsourcing firm committed to developing strategic, customized solutions that respond to the unique needs and cultures of organizations of all types and sizes. Available as a one-source alternative to an in-house HR department or on an à la carte project basis, the company’s flexible service models address the full spectrum of HR needs that many organizations struggle to address. The HR Team helps clients achieve their highest level of success by providing value-driven human resources services that leave them time to focus on what they do best: directing business growth and profitability. Headquartered in Columbia, Maryland, the firm serves all of Maryland, Washington, DC, and Virginia. To learn more about The HR Team, call 410.381.9700 or visit https://www.thehrteam.com/.