Employers should be on the lookout for a new email phishing scam that targets employee paychecks. The latest wave of attacks is a new version of wire fraud scams, which have recently hit businesses across the country.
Known as “business email compromise” or “business email spoofing” (BEC/BES), these scams target businesses of all industry types and sizes, according to the IRS. And the fraud is growing quickly, as it bypasses many existing security protocols, and the amount of funds stolen are often small enough that many companies chalk the loss up to the cost of doing business, which allows the scammers to stay under the radar of authorities.
How The Scam Works
The emails typically impersonate a high-level company employee, like the CFO or CEO, and the messages are sent to payroll or human resources (HR) staff. The email from the scammer asks the payroll or HR staff to change his or her direct deposit information for payroll. The scammer then provides a new bank account and routing number used to have paychecks direct-deposited, but the account is actually controlled by the scammer.
Once the funds are routed to the criminal’s account, the company is on the hook for replacing the stolen funds, and the employee whose email was impersonated faces the inconvenience of a late paycheck. The scam is generally discovered fairly quickly, but not before the victim misses one or two direct deposits.
In another version of the scam, the emails impersonate a company executive and are sent to the employee in charge of making wire transfers. The email asks for a wire transfer to be made to an account controlled by the scammer. Companies that are hit with this scam have lost tens of thousands of dollars.
In addition to having to replace the stolen funds, the scam creates a data breach for the employer, which sets in motion a legal requirement for the company to notify all affected parties. If the employer fails to respond quickly enough, the business can be hit with fines and other penalties.
Flying Under The Radar
According to reporting from CNBC, this latest scam appears to be growing in part because it bypasses some email control protocols, and also because it gets around the usual warnings companies have issued to employees about traditional wire fraud, since the scammers aren’t actually asking for money or an invoice transfer—they are simply asking to change their bank account information for direct deposit.
What’s more, the scam doesn’t require the criminal to hack into an employee’s email account; scammers generate fake email accounts with free services like Gmail and Yahoo. To create a fake email account, the scammer uses the employee’s real name, which lets the scammer avoid security measures designed to detect hacked employee email.
The email messages are typically quite short, polite, and free from the spelling and grammar errors typical of past phishing scams. The emails often start with something innocuous-sounding, such as “‘Hey, do you have a second? I need to update my direct deposit information,” and if that target responds, the scammer will reply in real-time and go from there.The emails can also sound urgent, often requesting that the HR staff change the bank account information quickly, many times asking to switch the account “before the next paycheck.” Other times, the email will try to discourage the HR staff from calling them back by noting, “I’m going into a meeting now.”
While the funds stolen in the scam are typically relatively low—thousands of dollars versus hundreds of thousands involved with a typical wire fraud case—because the scam is so simple and inexpensive to pull off, it’s becoming more popular with fraudsters. Plus, CNBC noted that criminals have found ways to automate the scam, so the scheme can be scaled, and a single company may get dozens or more hits at the time, which makes the scam even more lucrative—and attractive.
How Employers Can Safeguard Their Operation
According to the IT security firm KnowBe4, employers can combat this new scam and others like it by immediately taking the following actions:
- Alert your workforce to the new scam and explain how it works.
- Direct employees to forward any suspicious requests to the IT or HR departments, rather than replying to the email.
- Instruct employees to refrain from supplying log-in credentials or personally-identifying information in response to any email.
- Ensure that log-in credentials used for payroll purposes differ from those used for other purposes, such as employee surveys.
- Enforce (or, where necessary, establish) multi-factor authentication requirements.
- Review and update the physical, technical, and personnel-related measures taken to protect your sensitive information and data.
If your company does get hit by this email scam or another internet related-scam, you should report the incident to the FBI’s Internet Crime Complaint Center (IC3) by going to www.ic3.gov.
Defend Your Digital DomainThis latest phishing scam is just one of numerous threats that your company faces when it comes to digital security. In addition to scams involving stolen funds, your business is also susceptible to data breaches, hacking, network failures, and other malicious actions targeting your sensitive client and business data. What’s more, you are also required to stay in strict compliance with an ever-evolving set of federal and state laws governing data privacy. If you fail to comply with these mandates, your business risks fines and other penalties that can seriously impact your bottom line. On top of all that, there is also the risk of getting hit with a costly lawsuit from a client whose data was stolen from your business.
From installing the proper digital security systems and working with the most secure web hosting service to investing in cyber insurance, there are a number of steps you can take to protect your company’s digital domain. That said, the safeguards your company requires will depend on a number of different factors, including the size of your business, the type of data you collect, the market sector your business serves, among other factors, so there’s no one-size-fits-all cybersecurity strategy that works for all businesses.With this in mind, your best bet is to consult with us to implement a comprehensive digital protection plan. We can advise you on the specific protections you should have in place and keep you updated on the ever-changing legal landscape governing data privacy. And if you’re ever hacked, we can defend you in court against any lawsuits or other liabilities that might result. Contact us today to learn more.