Beware of payroll direct deposit phishing attacks! Employees will receive an email from a seemingly trustworthy company, prompting them to provide an e-signature or complete a survey. They will use this to trick you into providing sensitive information such as email login, giving them access to your payroll portal and redirecting payments to another account. This will leave you wondering what happened to your paycheck on payday and by the time you find out where it went it’s too late.
Companies are experiencing a wave of phishing scams that target employee paychecks. Here is the scenario: An employee receives from a company email account e-mail that mimics a familiar and trusted company service or resource, such as an e-signature request or a request to complete a survey. The e-mail asks the employee to click a link, access a website, or answer a few questions. Then it directs the employee to “confirm” his or her identity by providing his or her complete log-in credentials. Skeptical employees who question the request via reply e-mail receive a prompt response purporting to verify that the employee should complete the steps contained in the link. The threat actors then use the employee’s log-in credentials to access payroll portals, reroute direct deposits to other accounts, and wreak other havoc upon the employer’s network. In some versions of the scam, hackers access employee e-mails to request a password change from the employer’s payroll service and then use the new log-in credentials to change direct deposit instructions.
The threat actors are doing substantial due diligence on the social engineering side of things, and these e-mails look real. In many circumstances, they are effectively spoofing the sender’s account, and employers are learning of the scam when employees begin reporting that they did not receive their direct deposits. By then, the damage has been done.
In addition to diverting funds, the scam creates a data breach for the employer and triggers notification obligations. Failure to take prompt action may result in penalties and liability to unsuspecting employers.