Direct Deposit Scams: A Growing Phishing Threat to Businesses

Online and email scams are not new, but the ways in which bad actors perpetrate cybersecurity breaches are continually evolving. There are several types of fraudulent activity that affect payroll departments: deliberate worker misclassification by employers, pay rate alteration by malicious insiders, creation of “ghost” employee profiles, and direct deposit scams, which we focus on in this article.

What is a direct deposit scam?

A direct deposit scam, also called a payroll diversion scam, involves phishing emails that target a company’s HR functions—including HR and payroll managers—and is costing companies a lot of money and time.

This scam is rendered via a fraudulent email that is generated to look like a typical direct deposit bank change request. It appears to come from an employee to the human resources or payroll department, requesting a bank change for their paycheck direct deposit. The more sophisticated direct deposit scams address the correct person at the company directly as well.

How direct deposit or payroll diversion scams are implemented

The spoofers establish an email address using the real employee’s name and display name in the messages. At a glance, the email looks “real.” The cyberthief may ask for a company’s direct deposit change form or may include a completed form with the email, having located it online. The unwitting person in charge of direct deposits changes the bank routing number according to the request, which sends the affected paychecks to the scammer’s account. The employee is not paid timely and the employer is out the stolen money, which it must replace.

Payroll diversion emails usually have a sense of urgency about them (“must be done before …” “need this in time for …”) as well as something that personalizes the phishing email further. They are designed to invite the HR manager or payroll manager to help the employee as promptly as possible.

Increased working from home increases the threat

More employees working from home (WFH) means they are conducting more business over email rather than walking down the hall at the office. This increased WFH environment is making it easier for scammers to execute this cybersecurity threat. After all, human resource managers get many legitimate requests by email from employees, such as arranging paid time off or vacations. A bogus change request for their direct-deposit paycheck can be easily overlooked—especially as spoofing capabilities improve all the time.

Who is doing the payroll phishing?
Bad actors who engage in this payroll phishing scam may be a former employee who knows the inner workings and personnel of your company. The phishing may come from an external party through a data breach of your computing network. Or it could be someone who takes the time to research your organization and figures out who handles payroll and processes the direct deposit change requests. Creating the fake email is the easy part!

How to combat direct deposit scams

  • Training: The importance of employee training cannot be overstated. There are training programs to help your team more readily identify email phishing scams of all kinds, from executive spoofing to payroll scams. These trainings should be part of your standard operating procedures to keep up with savvy cybercriminals. Also, remind employees that they should remain vigilant and not respond to any suspicious emails; nor should they ever send sensitive, confidential information by email to anyone.
  • Policies and processes: Make sure to include a cyber policy and processes in your employee handbook. Your staff should be aware of and follow them in case of a breach, including what notices need to be given. Review these periodically to ensure they are current with evolving threats and update them as needed.
  • Proactive measures: Be wary of any requests coming to you through email. Always check the sender’s email address and verify this is someone who works for your company, with an established and exact email address you have on file.
  • If you aren’t certain the direct deposit bank change request is legitimate, call the employee on a known phone number to check it out.
  • Notify your HR or payroll manager and/or payroll provider if the request is not legitimate.

How CHR helps avoid direct deposit scams

CHR works very hard to protect clients. We can help your team draft cyber policies and procedures to protect your organization against nefarious phishing scams and leverage the power of our third-party partners to assist on the cybersecurity side for you.

We also encourage our clients to have their employees use our secure employee portal which encrypts emails. Your staff can manage and make direct deposit change requests there, providing a layer of protection for all parties. CHR uses multi-factor authentication to verify registered users’ identities and our technology meets the most stringent cybersecurity standards to prevent email spoofing scams from occurring. In short, our protocols are designed to mitigate the risk of cyber threats for our clients.

If one of our clients falls prey to the direct deposit change request scam, we will notify the bank(s) about this fraud and create a paper trail detailing efforts. We may also work with government or state agencies depending on the amount of money involved. Our services are used by 80,000 organizations and we handle $2 billion in payroll wages annually—so we’re always integrating new technologies to safeguard those payroll dollars and the companies we serve.

Contact CHR USA and keep out the scammers

We’re here to help your team avoid direct deposit and other email and payroll scams that will cost your organization precious money and time or incur legal action. Reach out to your account specialist or for more information.