How this strain of payroll scam begins.

This strain of payroll scam works like this: a scammer impersonates a company employee and sends an email to a payroll or human resources (HR) personnel using a false email address that resembles the format of the organization. The contents within the email claim that his or her direct deposit information needs to be updated. The scammer posing as the employee requiring these changes then provides a new bank account and routing number to obtain payroll deposits.

Another version of this scam is when the hacker impersonates a company executive and sends an email to an employee who is responsible for wire transfers. In this scenario, the fake company executive demands that a wire transfer be made to a specific account.

According to the IRS, “Companies that fall victim to this scam can lose tens of thousands of dollars.”

What to look out for.

As these emails can be very damaging to a company, here are a few things to look out for:

  • Grammatical errors and spelling mistakes within the email.
  • Unknown email addresses.
  • A mismatch between name and email address. (e.g. John Smith <BDoe@___com>, the name should represent <Jsmith@____.com>)
    • You may also see changes to the domain name which are typically off by a letter.  (e.g. Correct email address jdoe@abclaw.com; Fake email address:  jdoe@abclew.com)
  • Implied sense of urgency.
  • A font that is not typically used by your company.

The IRS provides a few examples of what one of these emails could look like here.

Here are examples of emails that have been reported by tax professionals to the IRS in recent days. These emails have been edited by the IRS:

Sent: Monday, December 10, 2018 [REMOVED]
Subject: (no subject)
Hello [REMOVED],
I changed my bank and I will like my paycheck DD details changed. Do you think this change be effective for the next pay date?
Sent from my iPhone

How to prevent payroll fraud.

So now you may be asking, “how can I prevent this from happening to my company?” It is super important to take the proper security precautions, such as investing in intrusion detection systems, firewalls, and other devices to monitor your network.

The best way to stop these scams within organizations internal controls is to make it mandatory that any bank changes for Direct Deposit or Accounts Payable are verified verbally before proceeding.

Cybercriminals, however, target individuals, not networks, so you must also make your staff aware of these security risks. With proper education and training, you can lessen the chance of an employee falling for an email phishing scam.

What to do if you receive a suspected phishing email.

If you receive a questionable email, here are a few tips on what to do:

  • Do not click on any links contained within the email.
  • Do not respond to an email requesting financial information, especially if it implies urgency.
    • If you believe the company does need personal information from you, call the company, using a number in your own address book. Do NOT call the number within the email.
  • Call your employees to verify that an email truly came from them.
    • For further safety, print a paper copy of the employee’s email requesting a direct deposit change and a copy of a direct deposit form.
    • Before making any changes, have the employee provide you with a voided check with banking information along with their completed direct deposit form.
  • When in doubt, assume it is a scam.
  • Always report.

If you responded to a phishing email, here is what to do:

  • If you provided personal information requested in a phishing email, such as Social Security, credit card, or bank account number, go to IdentityTheft.gov and follow the steps based on the information you provided.

Reporting BEC/BES Emails

If you think you see a scam, reporting it is crucial, not only to protect yourself but to help someone else avoid scams.

The IRS suggests forwarding non-tax related BEC/BES email scams to the Internet Crime Complaint Center (IC3) monitored by the FBI. When filing a complaint at the IC3, be sure to copy and paste the entire email, including header information. The IC3 does not have an email address to forward BEC/BES emails to, instead, they provide a form where you can fill out this information here.

Don’t fall victim to these hackers. Remain alert to keep you and your employee’s personal details secure. The more you educate yourself and your employees, the better prepared your business will be to stay vigilant in your cybersecurity efforts.