As if organizations needed another type of financial scam to be wary of, cyber criminals are increasingly turning their focus to human resources and payroll functions.
The typical scam works like this: The payroll department receives an email purportedly from an employee asking that his/her payroll direct-deposit information be changed to a new bank. Sometimes, the email includes the company’s own direct deposit form attached, with new information already entered. These emails might arrive just a few days before the usual date of payroll, with the request to process as soon as possible. The scammers know that many organizations process these forms expeditiously as a service to their employees, and often do so without verification.
Worse yet, email scammers are often able to monitor social media while the employees they are impersonating are on vacation – they send the email from a fraudulent personal email account, making verification difficult. The request may mention they are on vacation and ask that the change be done ASAP, and to reply to the sending email with any questions.
In many cases, the payroll employee makes the requested change without question, and the next time they hear about it is on payday when the targeted employee doesn’t receive their deposit. In most cases, the funds have been transferred to another bank and immediately withdrawn, making it unlikely they can be recovered.
Some best practices to reduce the chances of payroll fraud:
- Verify all payroll change requests by a second channel of contact: phone call, cell phone, or in person.
- Don’t make payroll forms available on the company external or internal websites.
- Consider the benefits and risks of listing H.R. and operations personnel on the company’s external website.
- Caution employees about the social media privacy. Many security experts are now recommending posting those vacation pictures after you return!
- Tell your employees to trust their instincts. If something seems unusual, ask a colleague for a second opinion and take the time to verify.