HR and Finance Employees/Managers Targeted in New Scams
Heads up: In recent months, a number of federal agencies — including the FBI and IRS — are warning employers about new scams targeting employees’ direct deposit, W-2 and I-9 information. And these scams have wreaked havoc on scores of companies.
Here are three of the most problematic scams HR pros need to be aware of:
- Direct deposit information
The most recent warning for employers came from the FBI. It involves a phishing scam in which cybercriminals attempt to get employees to unwittingly provide the scammer access to the company’s self-service payroll platform.
In the version of the scam HR pros will be most interested in, a person pretending to be from the company’s HR department sends an email asking an employee to click on a link provided in the email and log into their self-service account.
The scammer will claim the employee must do this in order to:
- view a confidential email from HR
- view changes to the employee’s account, or
- confirm that the account should not be deleted.
However, when the employee clicks on the link and enters the requested info, they’re actually providing info on their W-2 and paystub info. The scammer can then change the employee’s direct deposit instructions, and prevent detection by changing the email address used to notify the employee such changes were made.
Scammers may also change an employee’s passwords or other necessary credentials to keep the fraud from being discovered for as long as possible. In many cases, employers aren’t aware of anything until they hear from workers that their wages aren’t being deposited.
To prevent falling victim to this scam, the FBI is warning employers to:
- Train employees to watch for phishing attacks and suspicious malware links. Checking the actual e-mail address rather than just looking at the display name can be crucial to spotting the attack early.
- HR self-service platforms should have two-factor authentication. For example, users can be required to enter a second password that is e-mailed to them or a hard token code.
- Set up alerts on self-service platforms for administrators so that unusual activity may be caught before money is lost. Alerts may be triggered for when banking information is changed to online bank accounts typically used by fraudsters.
- Set a time delay between when direct deposit information is changed in the self-service portal and the actual deposit of funds into the new account to decrease the chance of the theft of funds.