Cyber criminals do not want to be particularly troubled with clever hoaxes to earn money quickly from their victims. And these dozens of scammers are not just for individuals, but also for businesses and institutions.
In fact, cybercrime against business is steadily rising. According to a recent FBI report, losses due to business scams exceeded 12,5 billion dollars 2018! Sure, business targeting is a very profitable system for fraudsters.
Now, it seems that scammers have developed a simple but effective way to collect money from companies using direct deposit to pay their employees. Below are details about fraud and some tips on how to protect your organization.
Fraud increases in payroll deposit systems
As with the recent explosion of tax fraud and gift card fraud, hackers are now targeting the human resources departments of various companies in hopes of persuading employees to change the bank payroll information to the one under their control.
In such a case, KVC Health Systems, a Kansas City-based non-profit childcare service, receives these kinds of e-mail "fishing" about two or three times a month, CNBC explains.
Similar to Business Email Compromise (BEC) scams, false email appears to be appearing to be sent by HR executives to HR employees. Their request? Change your payroll bank account information that the company uses to make a direct payment.
If it is successful, the hacker could leave the company at a loss of a thousand dollars while its employees will of course not be paid on time.
How this scam works
Despite its potential for big losses, payroll fraud is not a particularly sophisticated attack. Unlike traditional e-mail business e-mail frauds, crooks do not even go through the process of hacking your boss's email account. They simply create false email accounts with free services (such as Gmail or Yahoo, for example) with the name of an employee (usually from HR).
With this method, they hope that the target employee will be careless enough not to notice the full email address or to see his messages on a phone where only the name of the sender is immediately visible in the From field.
Messages appear to be short and casual with a little sense of urgency, asking the employee to quickly change bank information.
Unlike other email scams, these email messages are written in a few typographical and grammatical errors. Often, they try to prevent the victim from contacting the boss claiming that he is "in a meeting" or with "limited telephone coverage".
Here are some examples:
"Are you available? There is something you have to do. I'm going to a meeting and I'll have limited access to my phone, so just reply to my email. "
"I have to update the information on the direct payment of payroll payments. Can we handle it now? Thanks."
Why do payroll scams spread?
Although simplistic as scams are spreading because they are easy to create and grow, usually by automated methods. As I mentioned earlier, not fraud does not require successful hacking of an employee's emai account, all it takes is to create a new account with its name.
Then, because false emails are short and casual, they usually do not trigger email spam filters and Phishing. In addition, fraud does not suspect us, as it does not require cash transfers - it just asks for a bank account number change.
This approach has no cost to create so it can "hit" more companies with fewer resources. The success rate is lower but they can stay below the radar for much longer.
How To Protect Your Body From Payroll Fraud:
So how do we protect ourselves from this growing cyber-scams? Here are a few tips:
Be alert to the E-mail - Carefully check your email addresses, especially those from executives who require financial transactions. A character that may be missing at the address could symbolize the difference between security and compromise. And as much as possible, do not use personal emails for company messages.
Improve your company's email filters - Tell the IT department to include the keywords of this attack on your email spam filters
Watch out for scams social engineering - Determine their feed social media and avoid publishing vital details about your work that could reveal your employees' management and human resources.
Use two-factor authentication - Consider using two-factor authentication for capital transfers and corporate email accounts. Use known phone numbers to verify and avoid showing these phone numbers in email by email.