Well, I hate to say it but I thought the recent TV Licencing email scam was an innovative one, until I stumbled upon this. Payroll Fraud. Yes, actual interception of your hard-earned salary that everybody desperately needs, especially under the current economic climate.
We have all heard of CEO fraud (or whaling) where a cyber criminal uses phishing tactics, pretends to be your boss or a senior manager in your business and asks you to do something, for example, transfer or authorise funds to a bank account.
Cyber fraudsers try to credibilise themselves to you before sending out phishing emails, by hacking into various email accounts, looking at conversations and calendar entries to prove to you that they are who they say they are by referencing various meetings, appointments and recent communication in emails. So that you believe them and you end up doing what they want you to do in their emails. Help them commit fraud by following their instructions.
More sophisticated hackers have, once they’ve successfully hacked into your email accounts, created fake invoices from your suppliers but replace the suppliers bank details with their own. There have been many cases over the last few years where some big names have been affected by invoice cyber fraud, such as Facebook and Google. But now these cyber criminals are going one step further by trying to disrupt your personal finances and attempting to commit payroll fraud.
I’m afraid I am. What the cyber fraudsters are doing is after hacking into your email account, whether it is your personal or business account, they find out who works in your company’s HR/Payroll Department and sends them a phishing email. They pose as you asking to change the bank details for your salary into a different account, their account.
A few conversations back and forth from an HR staff member who’s perhaps not able to spot the subtle differences between you and the cyber criminal consequently means the request is actioned with you none the wiser. Until pay day and when the ball of twine unravels and both you and the business are significantly out of pocket.
Apart from the obvious IT prevention steps such as better cyber security layers at a technology level and complex email password policies, staff user training (cyber security awareness training) is absolutely required to spot these fraudulent attempts and with a solid process to flag up these phishing alerts. A simple phone call to the staff member to confirm and authorise the request would be a good start and would avoid being lured into a very difficult situation personally and professionally.
For some examples of the types of phishing emails sent to HR departments on behalf of unwitting employees, visit https://businessinsights.bitdefender.com/business-payroll-compromise-criminals-steal-company
Please also watch the video below from Webroot (industry front-runner and our aligned partner in Anti-Virus and Cyber Security Awareness) to understand how to spot a phishing email with some very simple awareness steps. By doing just these few sensible checks and measures will often ensure you do not fall victim to cyber fraud.