Late last year, the Internet Crime Complaint Center (IC3), a division of the FBI released a public service announcement I-091818-PSA https://www.ic3.gov/media/2018/180918.aspx regarding the practice of payroll diversion by cyber-criminals. This announcement identified employees whose online self-service portal credentials were compromised, typically through a phishing attempt, and the criminal would change the direct deposit bank account of the employee to a loadable debit card in their possession. Unfortunately, once funds are sent to a debit card, the criminal can withdraw them without a trace.
I am expanding that announcement to include another case of payroll diversion that we have seen. While you may be thinking that you are safe because either your employees do not have access to a self service portal, or they do, but do not have the ability to change their direct deposit account. Let me inform you that you are not safe. All a criminal needs to do is identify where the individual works. This can be done in a number of ways, such as simply looking up the person on social media, like the persons Facebook post or their profile on LinkedIn, or possibly through a compromised email account. In any case, once the criminal knows where the person works, they will send an email to the payroll department asking to change their direct deposit account. The email may originate from a legitimate email account, sometimes the criminal has access to the employee’s actual account, but it could come from a similar account name. Let’s say the employees name is Louis Smith and the employee has an email account of firstname.lastname@example.org. The criminal could make their own yahoo account with an email of Iousmith@yahoo.com (you probably did not catch it, but I substituted an uppercase i in place of the lower case L), email@example.com (leaving out a letter that could be overlooked, firstname.lastname@example.org (added the dot), and so on. A return email address could even be displayed as email@example.com, but the email is actually being sent from firstname.lastname@example.org
How to protect yourself from both of these scams? First off, if you receive a direct deposit account change other than handed to you by the employee, take the extra minute to call the employee (not email because that could be what is compromised) to confirm the account change. If your employees do have the ability to make direct deposit changes via their portal, then be sure you either have the ability to approve such change or at least be notified of such changes.
If you should fall victim to a loss, then be sure you file a complaint with the IC3 at https://www.ic3.gov/default.aspx You will also want to reach out to your bank as there is a slim chance that all of the funds have not been withdrawn from the debit card.
While on the topic of cyber-criminals, this is also the time of the year of W-2 phishing. Never send an unprotected W-2 via email, whether it is the “employee” requesting it or the “CEO” of the company via email. As stated above, that email request is quite possibly not from the person who you think it is. Always get a verbal confirmation of any requests, and if you have to send the document via an electronic means, be sure it is secured with a password that was verbally given to the recipient. Do not email the password because that just defeats the purpose.
As a client of PayMaster, we have ways of protecting you. Contact our Business Consultants for additional information on our processes and tools. We strongly believe in protecting our clients confidential data, and our systems are tested and updated on a regular basis. We undergo the SSAE 18 – SOC 1 – Type II audit, which is an internationally recognized standard developed by the American Institute of Certified Public Accountants (AICPA) that is recognized as a mark of service quality.