How to Prevent Payroll Diversion Scams

Photo illustration: paycheck about to be hooked
Don't let payroll scams phish your paycheck away!

Business email compromise (BEC) comes in many varieties. You've probably heard about BEC in the form of executive impersonation attacks, resulting in wrongful corporate wire transfers or W-2s making it into the wrong hands, but BEC is a risk for all employees, not just executives. One of the most devious ways this can happen is through a payroll diversion scam, in which attackers attempt to change an employee’s bank account information so direct deposits go to the hacker’s account instead.

The attacks can happen a variety of ways. An attacker may impersonate the employee, either by infiltrating the employee’s account and sending an email from it, or by simply spoofing the From address — easy enough to do without any hacking if the company’s domain is not protected by email authentication.

These spoofed emails are sent to human resources or to the company’s payroll processor, which often makes the requested change without first checking with the employee.

Alternatively, cybercriminals may send emails to the employees, posing as members of HR or the technology team, in an attempt to capture their login credentials. Once they have those credentials, attackers can then use them to change the employee’s bank information.

Payroll diversion scams can cost companies thousands of dollars, and they are getting common enough that the FBI’s Internet Crime Complaint Center recently issued a warning. According to the IC3, the most-targeted industries for these scams are education, healthcare, and commercial airway transportation.

In a related BEC scam, attackers impersonate vendors and attempt to persuade a company’s accounts payable department to send payments to a new bank account — one controlled by the attackers. This scam can wind up costing the defrauded companies tens of thousands of dollars, or even millions.

You can read real-world examples of both types of BEC scams in this hair-raising Reddit thread.

Less costly but no less embarrassing is a third kind of BEC scam where attackers pose as the victim’s boss, asking him or her to purchase gift cards. While the average loss per incident for gift card scams is less than $900, these scams are increasing at an exponential rate, IC3 reports.

chart showing BEC gift scams rising exponentially
BEC gift card scams chart. Source: IC3

Layer Your Defenses

Here’s what you need to know in order to keep yourself (and your employees) from falling victim to one of these scams. The FBI recommends a series of procedural guidelines aimed at teaching end-users to be more wary:

  • Educate your workforce about these kinds of scams, so they know to be on the lookout.
  • Tell people not to supply login credentials or personally identifiable information (PII) in response to emails. Follow up via Slack, phone call, or in person.
  • Apply extra checks to bank information and bank change requests.
  • Be wary of any sudden changes in business or personal practices from your coworkers.

The above recommendations require employees to remain aware and informed at all times. While training is important, an effective anti-phishing defense should also include technical measures that can reduce the risk of BEC attacks without relying on end users:

  • Implement email authentication with DMARC, SPF, and DKIM on all the domains your company owns, so that only authorized senders are able to send messages from these addresses.
  • Ensure that your domains’ DMARC policies are set to enforcement, a setting that directs unauthorized mail into spam folders or deletes them entirely.
  • Ensure that your mail server or mail gateway is checking the DMARC authentication status for incoming messages.
  • Implement multi factor authentication (MFA) for email and other employee accounts, to mitigate the risk of account compromise.
  • Install and use secure email gateway (SEG) software to scan incoming email for suspicious content (attachments and links).

What If Your Company Is Hit With a BEC Scam?

Finally, if your company does fall victim to BEC fraud, the IC3 recommends acting quickly:

  • First, contact your financial institution and request that they recall the funds.
  • Second, report the fraud to your local FBI office, and possibly also local law enforcement.
  • Third, file a complaint with bec.ic3.gov. The IC3 may be able to help recovery efforts.

Note that attackers use a wide variety of strategies, and that there is no single silver bullet that will protect you against all BEC attacks at all times. However, it makes sense to prioritize a defense against the most common attacks.

As the FBI and other sources have noted, spoofing and impersonation are the most common phishing techniques and attackers are well aware of which domains can easily be spoofed and which ones are protected. Which do you think they’re going to target first?


Email authentication at enforcement can stop the most potent forms of spoofing and impersonation used in these attacks. For more information on how you can protect your company against BEC attacks, read our free white paper: Executive FAQs on Email Authentication.


 

Dylan Tweney is the head of communications for Valimail.