[Last Updated: Aug. 4, 2021]
ACH fraud and direct deposit scams have become prevalent over the last few years. Payment fraud continues to rise and shows no signs of decreasing, with 47% of companies hit by attempted or actual fraud in the last 24 months, according to PwC’s 2020 Global Economic Crime and Fraud Survey.
Fraudsters are targeting HR & Payroll professionals within businesses of all types by convincing them to swap out employee direct deposit banking information to an offshore or pay card account. When successful, the funds are routed to the criminal and your business is on the hook for replacing the stolen funds and your employee faces the inconvenience of a late paycheck.
More often than not the fraudsters typically impersonate an organization’s high-level employees, like C-suite. But that’s not to say this isn’t happening for employees at all levels.
At first glance, the phishing emails look legitimate, almost as though they are coming from the CEO, CFO, or Payroll Professional and typically say something casual like, “I need to update [X employee’s] direct deposit information.” Since the request isn't uncommon for an HR professional it can be hard to detect as fraud.
Here are 4 ways to protect your business against wire fraud:
1) Verify all email direct deposit change requests in-person or over the phone with the employee directly. DO NOT verify by replying to an email.
2) Highly encourage your employees to utilize employee self-service through your payroll provider (if available) to update their information.
3) Run an audit report and examine unusual direct deposit changes. Contact your support specialist if you need assistance with this.
4) Consult with your I.T. professional to ensure the proper security measures are in place.
Bonus: Try these 5 tips for better Email Security Practices:
Tip 1) Do not click on links or attachments from senders that you do not recognize. Be especially wary of .zip or other compressed or executable file types.
Tip 2) Do not provide sensitive personal information (like usernames and passwords) over email.
Tip 3) Watch out for email senders that use suspicious or misleading domain names. Oftentimes, a fraudulent email is sent from an email domain that looks almost identical to your organization’s domain, but with very subtle misspellings to trick the eye at first glance. Read carefully!
Tip 4) Be especially cautious when opening attachments or clicking links if you receive an email containing a warning banner indicating that they originated from an external source.
Tip 5) Set up 2-Step verification for your email account and encourage your employees to do the same. Most email providers have 2-Step verification as a security option.
Leave a Comment