Most companies use direct deposit to pay their employees. In the United States, for example, more than 80% of workers have their paychecks deposited directly into their personal bank accounts. This practice is providing many opportunities for cybercriminals to perpetuate their latest scam — trying to get businesses to deposit employee paychecks into their accounts.
Variations of the Direct Deposit Scam
Different variations of the direct deposit scam have been surfacing. Most recently, cybercriminals have been posing as employees.
In some instances, the digital con artists use a multi-stage attack. First, they send an email to a member of a company’s HR department asking how to change the direct deposit information for their paychecks. After the HR staff member responds and explains how to make the change, the cybercriminals wait a short while and send a second email. In it, they tell the HR staff member that they tried to make the change as instructed, but it did not work. They then ask the person to make the change for them and include the new bank routing number and account number in the email.
However, in a newer variation of a direct deposit scam, cybercriminals are posing as executive level employees, such as the CEO or CFO. They contact HR staff via email, requesting changes be made to their direct deposit information. They craft the email specifically to create a sense of urgency. They may request a change to their direct deposit information that must happen before the processing of the next payroll. If the HR employee replies and offers to help, the bad actor sends new bank routing information. The paycheck is then deposited in the cybercriminal’s account. As a result, the employee is stuck waiting for a replacement paycheck, the company is liable for the stolen funds, and the bad actor gets money for nothing.
In other instances, the cybercriminals take a more direct approach by sending a message such as:
“I need to change my direct deposit info on file before the next payroll is processed. Can you get it done for me on your end?”
If the HR rep takes the bait and agrees to make the change, the cybercriminals provide the person with the new bank routing and account numbers.
In earlier versions of the scam, the cybercriminals posed as HR staff members rather than employees. The cybercriminals sent emails to employees, instructing them to click a link. The link took the employees to a spoofed (i.e., fake) HR website, where they were asked to enter their login credentials to confirm their identity. The hackers then captured the credentials and used them to access the real HR site and change the employees’ direct deposit information.
The Same Tool
In all the versions of the direct deposit scam, the cybercriminals used the same tool to execute their attacks: spear phishing emails. These emails are similar to traditional phishing emails in that they use a convincing pretense to con recipients into performing an action. However, spear phishing emails take the scam up a notch. Cybercriminals take the time to perform reconnaissance so that they can personalize the email. When it comes to spear phishing, the more personalized the email, the less likely the target will become suspicious and question its legitimacy.
Despite being personalized, spear phishing emails often have one or more of the following common elements:
- A request to update or verify information. Spear phishing emails often ask the recipients to update or verify account information. For example, as the direct deposit scam demonstrates, the recipients might be asked to change information in financial accounts. Or, they might be asked to log in to a spoofed web page to verify account information, allowing the hackers to steal their login credentials.
- A deceptive URL. A deceptive URL is one in which the actual URL does not match the displayed linked text or web address. Deceptive links often lead to spoofed websites, where cybercriminals try to steal sensitive information or install malware.
- An attachment. Hackers sometimes attach files that contain malicious code. Opening these attachments can lead to a malware infection.
- A spoofed name in the “From” field. To trick the email recipient into thinking the message is from a trusted contact, digital con artists often spoof the name that appears in the “From” field so that it shows the contact’s name.
Don’t Let Your Employees Get Scammed
Some spear phishing email recipients fell victim to the direct deposit scam, but your employees do not have to share the same fate. Educating employees about spear phishing emails and the elements commonly found in them can help staff members spot these types of scams. Employees should also learn how to check for deceptive URLs and spoofed names in an email’s “From” field.
There are other measures you can take as well. You should make sure that employees’ names, email addresses, and job positions are not publicly available. Similarly, you should warn employees of the dangers of posting details about their jobs on social media sites. Limiting the amount of publicly available information will make it harder for cybercriminals to find the details they need to personalize the emails.
It is also important to keep the company’s security and email filtering programs up-to-date. These programs can catch many spear-phishing emails but not all. The more personalized and polished an email is, the less likely it will be caught by these programs.
More advanced solutions designed to catch spear phishing and other types of malicious emails are available. Contact us, we can help you determine whether or not that is a good option for your business.