The FBI saw a marked increase in the amount of reported cases of Business Email Compromise scams over the last decade. Most are familiar with these schemes at this point, commonly called “phishing.” However, in a September 2019 bulletin, the FBI notes that a particular type of phishing scam is on the rise: Payroll Diversion.
Payroll Diversion scams stand out from other phishing tactics in that they do not request credentials or wire transfers. Instead, this new method sees attackers spoofing the identities of employees within a company, emailing human resources or payroll to request changes in their direct deposit information. The new information typically routes to a pre-paid, reloadable card – one without identifying information attached.
This new method is similar to other “spear-phishing” attacks, in which specific, typically higher-up employees are targeted directly, rather than the attacker sending out a mass email to all recipients at a business. They are typically more sophisticated than the average spam email, using natural language and referencing the correct employees in each department.
Businesses can avoid falling victim to these scams several ways:
- Employees should be trained to look at the full email address, not just the sender’s name, when reviewing email. Although the display name may match an employee’s name, the email address itself will typically not be from the correct domain.
- Enterprise-grade spam filter solutions use advanced algorithms to detect and block these messages. Though they are not perfect, they dramatically reduce the amount of spam and malicious scam emails that get through.
- Sensitive information should not be shared over unencrypted email. Alternative, more direct forms of contact (face-to-face, phone call) should be used for things such as banking info or wire transfers (common targets in phishing schemes).
- Consider adding an external recipient warning, which will flag all email not generated within the company as such. It does not prevent these emails from coming through, as many will be valid, but rather alerts the end user as to their origin, which can help prevent the efficacy of spoofed emails.
At Layered Systems, we have seen multiple attempts of these Payroll Diversion scams within our customer base. Fortunately, by leveraging a combination of the above suggestions, we have minimized their exposure. To learn more about how to protect your business from Payroll Diversion and other Business Email Compromise scams, Contact Us today.