Return to Insights

How to avoid payroll diversion scams

Profile Photo Placeholder icon
10.04.21
  • SHARE

As a business owner, you’re no stranger to hearing about the threat of cybercrimes and cyberattacks. You’ve likely heard about phishing, social engineering and ransomware. But the costliest cyberattacks? Business email compromise (BEC) and payroll diversion scams. Payroll diversion scams are part of larger email attacks that on average costs businesses nearly $75,000 per attack. These targeted attacks are harder to spot than normal scams and rely heavily on social engineering.

What are payroll diversion scams?

Payroll diversion is a type of payroll fraud where cybercriminals trick employees or payroll managers into changing direct deposit information. Instead of the paycheck going to the employee’s bank account, it goes to an account controlled by cybercriminals. The root cause? What’s known as Business Email Compromise (BEC). Here’s how it works.
Research: It all starts with a hacker researching the company to find and target an employee with access to a payroll system as well as an employee to impersonate. They’ll also research the payroll system used by the company, find information about when employees get paid and how to authenticate in the system.

Infiltrate: Once the hacker has the necessary information, they will work to gain access to the employee’s email account through credential phishing or registering fake domains to send emails from a look-alike account. It’s relatively easy for hackers to gain access to small business email domains especially if they’re not protected by authentication.

Impersonation: These fake emails are sent to human resources or to the company’s payroll processor asking them to make updates to the payroll system so that funds are dispersed into accounts that hackers have control over. These emails are not usual spam or junk mail. They typically contain no links and appear as if the employee just needs help with their payroll or direct deposit. This makes them hard to spot. The trickiest thing about payroll diversion scam emails is that they almost always have a sense of urgency and rely on social engineering. The emails will include language about “needing the update to be paid in time for pay day” or “If I don’t get paid, I won’t be able to pay my bills.” The payroll manager wants to help the employee as quickly as possible.

Disbursement: Once the change has been made and payday arrives, the money is sent to the hacker-controlled account and then quickly transferred to prepaid or gift cards. This makes the money hard to track.

How to protect your company

While payroll diversion scams are common and expensive, they are highly targeted, take time to execute and require a lot of research. This means that they can be prevented if you know the necessary steps to take.

Educate your employees

  • Cybercriminals target employees with access to payroll information. Provide proper training so employees are aware of the risks and red flags. You should also implement a verification process to ensure the employee requested the change.
  • Ensure that your company’s payroll policies and procedures are secure and not available publicly to cybercriminals. Remember, without knowledge, hackers are unable to execute these scams.
  • Educate employees about not sharing personal information such as PINS, social security numbers, login credentials and bank account information through email or over the phone.

Use technology to your advantage

  • Implement multi factor authentication (MFA) for email accounts making it more difficult for hackers to gain access.
  • Incorporate secure email gateway (SEG) software so that emails are scanned for suspicious attachments and links.

The FBI also recommends

  • Apply heightened scrutiny to bank information initiated by employees seeking to update or change direct deposit credentials.
  • Monitor employee logins that occur outside normal business hours.
  • Restrict access to the Internet on systems handling sensitive information or implement two-factor authentication for access to sensitive systems and information.
  • Only allow required processes to run on systems handling sensitive information.

Instituting these policies and procedures can help prevent attacks. If your company is hit with a payroll diversion scam you should reach out to your bank and request that they recall the funds. You should also report the fraud to the FBI and local enforcement. For more information, visit the FBI’s Internet Crime Complaint Center (IC3).

Profile Photo Placeholder icon

About Kristin Hines

Kristin is an experienced loss prevention manager with a rich history of working in the banking industry. With over 10 years of experience, Kristin is highly skilled in fraud investigations, risk management and bank fraud. She holds a degree in management and leadership from Concordia University in Saint Paul. Kristin is a certified AML and fraud professional (CAFP). She also believes in giving back to her community and served as a treasurer for the Twin Cities Organized Retail Crime Association from 2016 to 2018.)

More on Kristin