Cybercrimes against businesses have been increasing at a steady pace. We have heard of various companies being targeted, and we want to make our clients aware.
Scammers are targeting the HR functions or bookkeepers of all types of businesses with the goal of convincing them to change direct deposit information to fraudulent bank accounts.
Scammers send an email impersonating an employee – often an executive or business owner – to the bookkeeper or person in charge of payroll. Typically, this email poses as the personal email of the employee. The scammer asks to change his/her bank deposit information. The payroll person or HR person responds to this personal email address (fraudulent account) with the form needed to change the direct deposit information. The scammer completes the form with an offshore account or other untraceable bank account and sends the form back to HR. The HR person changes the bank information in the payroll system. When the next paycheck is issued, the money goes into the fraudulent account. By the time this is discovered by the employee and/or the payroll or HR person who made the change, it is too late.
Another scam involves wire transfers or vendor payments. The email impersonates a company executive and is sent to the company employee responsible for wire transfers. The email requests a wire transfer be made to a specific account that is controlled by the scammer. The employee makes the wire transfer, and the funds are gone.
What You Can Do
It is important to discuss these scams with all levels of employees. Make everyone aware of them so no one falls victim to them. You can have training on IT security, but human error still exists and can cause this scam to be successful.
- Train employees, especially those with any access to payroll records or bank information, to question the email if the request doesn’t make sense.
- Initiate a policy that states HR or payroll needs to speak with the person who the email supposedly came from in person or via phone before any changes are made.
- Require that all direct deposit form changes include some personal information that a scammer will not know (example: Employee ID#).
- Require the form be signed and returned via mail or in-person to the HR department versus allowing everything to be done via email.
It is very important to talk to employees about what procedures are in place when they get these direct email requests. If the owner tells an employee to do something, they will typically do it. This is why the scam is so successful. If you have talked about the situation ahead of time, employees may be more apt to make that phone call to verify it is not fraudulent versus going ahead and doing what they are told to do without asking questions.
Remember: Your company’s security is only as good as your weakest link.