- How Do You Define a Payroll Diversion Scam?
- How the Cybercriminals Facilitate this Payroll Hack
- Tips for Protecting Your Company from Payroll Diversion Scams
Protecting your business and its assets is even more complex today than ever. With digital communications, eCommerce, and online payment processing, most companies conduct much of their business engagements and operations online. This presents even more risks, including data breaches, phishing scams, and the increasing occurrence of payroll diversion scams.
It’s easy to presume your company’s payroll processes are protected. But the cybercriminal community is evolving and tapping into new methods of infiltration that you might not see coming. Discover some of the latest strategies companies are using to stave off these payroll diversion scams. These tips and proven tactics can ensure your business continues to protect its payroll processes, employees, and bottom line.
How Do You Define a Payroll Diversion Scam?
A payroll diversion scam is a malicious attempt by cybercriminals to redirect a company’s flow of direct deposits. It’s sometimes called direct deposit fraud or payroll diversion fraud, and it’s more prevalent than some might realize. Using a variety of tactics, fraudsters will try to intervene or intercept an employee’s paycheck, rerouting to a bank account under their own control. And by the time you realize this scam has happened to one of your staff, it’s incredibly difficult to recover the funds.
How the Cybercriminals Facilitate this Payroll Hack
It’s easy to assume that when you establish a direct deposit or pay channel for your employees, those channels are safe and protected by the banking institutions’ online security measures. However, a payroll diversion scam is facilitated differently from a traditional hack. Today’s scammers are finding workarounds to phish your payroll staff, hack your payroll information, and get unprepared employees to make changes without realizing there’s a scam at play.
They Do Their Homework
In most instances, the cybercriminal will start by researching the business and target a specific employee or two who has access to the payroll system. Their research also extends to contacting any third-party payroll providers or hacking into software solutions in an attempt to learn more about when employees are paid and what authentication provisions are in place.
They Attempt to Infiltrate and Impersonate
With a target in mind and information in hand, the cybercriminal will hack access to the employee’s email account using phishing techniques and replicating email credentials. These fake emails impersonate the employee, effectively reaching out to payroll or HR requesting to change the methods or routing of payment. And if your payroll personnel isn’t suspicious, they could unwittingly make changes in good faith, only to find out later that they’d been scammed.
They Take the Money and Run
If an unsuspecting payroll administrator falls for one of these bogus email requests, come payday, those funds won’t go to the designated employee. Instead, they’ll divert to the cybercriminal’s account and then immediately transfer to gift cards or prepaid credit cards, making the funds nearly impossible to track. And if you think your payroll teams are too smart to fall for these gimmicks, think again. The fraudsters rely on social engineering and a sense of urgency with messaging like:
- “I need to make sure my pay goes to the right account in time for next week.”
- “If I don’t get paid to this account, I won’t be able to pay my bills!”
Tips for Protecting Your Company from Payroll Diversion Scams
Explore these tips and best practices and start creating a protection policy for your payroll and human resources teams. The companies that are having the most success in preventing payroll diversion scams are taking these critical and essential steps.
Create an Awareness Campaign Internally
Begin by educating your staff, payroll, HR, and the general workforce included, about the existence of these payroll diversion scams. Sometimes, just knowing what criminals are attempting generates enough awareness to know when to pause. Also, follow these suggestions with your awareness efforts internally:
- Train payroll and HR staff with access to your company’s payroll system to identify scam red flags and payroll diversion risks.
- Create policies and procedures for staff encountering suspicious emails, prohibiting anyone from sharing banking, payroll, routing, or employee information.
- Initiate an employee process for authenticating a request for a change in pay methods. These might include security questions, PINS, or customized login credentials.
Leverage Every Technological Security Measure
Use technology to your advantage to help prevent the infiltration of these payroll diversion scammers. Talk with your IT partners and software solutions partners to explore adding new measures to filter scam emails. And implement these tech-based security measures:
- Multi-Factor Authentication (MFA) – This is a login process that requires employees or users to enter more than just a password to gain entry.
- Secure Email Gateway (SEG) – This program provides a more comprehensive threat assessment of email-related threats, including scanning attachments.
- Content Disarm and Reconstruction (CDR) – This solution is a threat extraction method, proactively protecting against unknown and known digital threats by removing them from emails.
What the FBI Recommends
Your business can also follow these protective measures and security suggestions provided by the FBI. The first line of defense is always employee education. But then, consider these tips:
- Implement more scrutiny to the handling of bank information.
- Add layers of requirements for employees who wish to make changes to their pay or information online.
- Supervise and red flag dashboard or payroll information logins occurring well outside business hours.
- Restrict access to online sensitive information using two-factor authentication.
- Only allow certain authorized users or programs access to any payroll-facing solutions or processes.
- Report malicious or suspicious payroll activities immediately.
With every digital process and convenience comes emerging risks and vulnerabilities. Recognize these payroll diversion scams when you encounter them and leverage these strategies to keep your business, its payroll, and staff secure. Don’t forget, too, that Anti-Fraud News is always sharing the latest insights regarding scams and fraud, along with trending solutions and security measures that your business needs to know about to remain protected. Come back often to explore the latest in cybersecurity headlines and take the insights you learn here back to your company to explore your options for improved protections, better security efforts, and bottom-line preservation.