Keeping payroll and HR data secure: business email compromise
SENT: Tuesday, Sept. 6, 2021 9:22 AM
SUBJECT: Quickly please!
I need to change my direct deposit account information – can you handle immediately? I’m in a rush.
If you received the above email from the CEO of your company, would you find it suspicious? Unfortunately, more and more companies are falling victim to these types of increasingly prevalent scams.
Employers and HR Professionals are often the targets of malicious hacking attempts – usually through suspicious-looking emails that attempt to garner and/or change personal financial information. These scams are known as "business email compromise" (BEC).
The latest scam follows a simple formula (like the example email above): An HR Director or Payroll Director receives an email from a (usually) high-level employee – even a company owner – requesting an urgent change to direct deposit information. If the target falls for the scam and changes account numbers, multiple pay periods could pass before the individual realizes either part or all of their paycheck has been diverted into an alternate account.
This highlights the importance of maintaining strict policies when it comes to the personal financial information of employees. For example, the changing of direct deposit accounts should only occur after a Direct Deposit Authorization Form is completed and signed.
"BEC is sophisticated because it avoids the use of malicious programs. Instead, it uses the victim's trust to trick them into making fraudulent transactions," said Youssef Karami, Director of IT Infrastructure at Checkwriters.
"Another type of email attack related to BEC is EAC or Email Account Compromise. This type of threat is increasing in popularity due to the rise of cloud-based infrastructure. It involves gaining access to legitimate mailboxes by using social engineering methods to trick or threaten the target to make a fraudulent financial payment."
"Because BEC and EAC are so interconnected, it's essential that companies take a universal approach to protect their data by having the proper tools and training to address multiple threats that can help prevent these types of attacks. These attacks are prevalent and can affect any organization; however, they can be mitigated through proper email security measures and education. At Checkwriters, for example, we've invested in various technologies as well as offer training and assistance to our employees to help detect malicious emails and preempt data compromise."
While it remains incumbent upon Payroll and HR Professionals to be vigilant to scams like these, your Payroll and HR Platform should have certain security measures built into the system to alert you and your employees to significant changes.
For example, a Text Message Alert that is sent when any changes are made to direct deposit information within your Payroll and HR platform.
In addition, Payroll and HR departments should be especially careful when setting up direct deposits to a paycard or prepaid debit card. Financial institutions recommend that employers call their employees to get verbal confirmation on all bank account changes to help prevent potential scams.
Of course, no safeguard method is foolproof but certainly helps in efforts to monitor any changes and confirm they are legitimate.
Current Checkwriters customers can request Text Message Alerts be turned on by contacting their Account Specialist at 888-243-2555. (Please note the feature requires employee mobile phone numbers).
Disclaimer: The information contained herein is not intended to be construed as legal advice, nor should it be relied on as such. Employers should closely monitor the rules and regulations specific to their jurisdiction(s) and should seek advice from counsel relative to their rights and responsibilities.