As discussed in a previous installment of this series, Business Email Compromise (BEC) is a pervasive problem and accounts for more than $26 billion in losses, according to the FBI Internet Crime Complaint Center. BEC attacks rely on impersonation and social engineering along with the threat actor’s ability to display a credible knowledge of a target’s business practices.
Though BEC attacks display similar traits (i.e., impersonating persons the target knows and should trust), the attacks take a wide variety of forms. In this installment, we will discuss a fraud that not only targets a company but also impacts individual employees negatively: Payroll Diversion.
The FBI Internet Crime Complaint Center report for 2019 states the average loss per incident of payroll diversion scams is $7,904. In that same year, the FBI reports 467,361 complaints and recorded more than $3.5 billion in losses to individuals and businesses.
In a Payroll Diversion fraud, threat actors employ impersonation, social engineering, and display a credible knowledge of a company’s business and financial practices. Threat actors time payroll diversion scams to coincide with typical payroll periods, often monthly or bi-monthly.
Payroll Diversion frauds target finance, tax, payroll, and human resources employees. It is the simplest attack because the only goal of the con is for the threat actor to provide new, threat actor-controlled direct deposit information for the impersonated employee’s paycheck.
Scammers can impersonate individual employees identified through a simple review of a company’s website. The scammer will send an innocent-looking email message, often from a free email account. The “employee” requests to change his direct deposit information because he is changing banks.
It is a routine task performed by human resource and payroll personnel often, without even thinking about it. And the threat actor is counting on that.
BEC attackers do not limit themselves to low or mid-level employees for payroll diversion scams. Threat actors will target executive level employees for a bigger payday. At this level, threat actors play on the target’s fear of professional problems like losing a job.
Payroll diversion is not the only scam BEC threat actors perpetrate. Some scams even target an individual’s income tax refund and in recent years, Economic Impact Payments provided through the Coronavirus Aid, Relief, and Economic Security (CARES) Act. BEC scammers prior to 2019 regularly targeted accounting, human resources, and payroll employees with the sole intent of conning them into sharing highly sensitive information contained in W-2 and other employment forms. In 2019, the IRS reports that income tax threats dropped to just 2.5% of all BEC scams. But in 2020, with the entire world laser-focused on COVID-19, scammers gave it shot again. In July 2020, the Internal Revenue Service released its “Dirty Dozen” scams… Phishing, Payroll Diversion, and W-2 theft all made the list.
IT security personnel will always remind email and data users to be vigilant about protecting highly sensitive information. When in doubt, personally verify any request to release payments, change direct deposit instructions, and any unusual request. And since BEC scammer’s impersonation techniques are clever and often imperceptible, it is important for an organization to employ a robust email protection product. Whatever tool your organization selects, be certain it includes modifiable rules for scanning inbound communications.
Ramsey Consulting Services can help you select the right email protection tool for your organization and specifically tailor the program to fit your needs. Contact us today to learn more about BEC and how we can help.
