I wrote an article over 3½ years ago about direct deposit fraud, first published in the FBI annual Internet Crime Complaint Center (IC3) report for 2018, when about 100 complaints were reported. Today, years later, we are finding it occurring on too-regular of a basis, and I would not be surprised if there were 100 complaints a day.
How it occurs is the fraudster diverts an employee’s paycheck to their “bank account,” which they will then clear out as soon as the funds hit on pay day. The two questions you may be asking are ‘how do they change the bank account?’ and ‘how are they able to make off with the funds without a trace?’
How the fraudster changes the bank account can be performed in one of two ways. They either do it themselves or they get you to do it for them. The former is a bit harder, as they need to access your payroll system through compromised credentials either as you, the payroll administrator or the employee. This type of fraud requires a more tech-savvy criminal, but the payoff could be huge. A couple of months after I wrote that article in 2019, a fraudster accessed the City of Tallahassee’s payroll system and diverted $498,000 for about 200 city employees. The keys to stop this from happening are; 1) to use two-factor authentication on your login to your payroll system for both administrators and employees, 2) use strong passwords, 3) have a notification system in place to alert multiple administrators, should there be changes in direct deposit accounts.
The second way of changing the bank account is by getting you to do it for them. This is so much easier, a child could do it. The fraudster will impersonate the employee and send you an email to change their direct deposit account. The email may come from the real employee’s actual email account (they could have had their email account compromised), but most likely, the fraudster creates a brand new email account that looks like it belongs to the employee. How they find out the employee’s name, in addition to the payroll/HR department contact, is performed by surfing social media and the internet. I see this happen way too often, and there is one very easy way to prevent it. Call and talk with the employee. ANY email, text, or whatever electronic request you receive to change a bank account, should trigger a call to that employee for VERBAL confirmation. If you take a minute and do that every time, you may never fall victim to this.
Answering the second question as to how they successfully get away with funds without a trace: they use reloadable retail cards. I am sure you have seen that big display of gift cards at your local drug, grocery and other retail stores. Mixed in with the Starbucks, Amazon, AMC, Red Lobster, and the like, you will find reloadable cards. They come in the form of Amex, MasterCard, and Visa, and will have the word ‘reloadable’ on the face of the package. The most common brands used for fraud are GreenDot and American Express Reloadable cards. These cards come with their very own bank account. Open the pack and you will find a routing and account number to load the card; for as low as $1.95, you can literally buy a bank account that is untraceable. The criminal will need to register the card, but anyone can do it with fake credentials. I did it myself to prove there is no real verification performed by the card company. This is the account the criminal will use to insert into your payroll system. As soon as the funds are loaded to it, they can use many means to immediately withdraw the funds, from making purchases to obtaining cash from an ATM. Gone without a trace. Fraudsters can also use unsuspecting money mules with real brick and mortar bank accounts, but so far, we rarely find this, as it does take a considerable amount of extra work on their part.
If you are a PayMaster client and you discover that you have received a fraudulent request to change a direct deposit account, please report that to your payroll specialist. Even though you caught it, if you report to us the bank account used, we can contact the fraud department at many of these reloadable card companies to shut down the account, so someone else does not fall victim.
In summary, be diligent in looking out for fraud, because it is everywhere, and the easiest thing to do to prevent this from happening is to call and speak with the employee to confirm EVERY direct deposit change request.
