Business email compromise (BEC) scammers send a spoof email to the HR department requesting them to change direct deposit information and divert monthly salary paycheck to a fake account controlled by the scammers. These fraudsters carry out such payroll diversion scams through social engineering techniques.
How does this work?
“From this point, the threat actor will be thinking on their feet to a certain extent; their main aim is to avoid being directed to any online third-party HR solution that would require access details they do not possess,” James Linton of Agari explained in a blog.
“It should also be noted that the threat actors are not phased by being asked to provide a voided check displaying the new accounts details, and have successfully provided these when requested of them,” Linton wrote.
Real case scenario
Recently, an individual named Sumit Kumar described this type of scam on Twitter.
“It all started with a friend searching for an apartment on a German website. It all started with a friend searching for an apartment on german website @Immobilienscout. To verify his identity and income he had to upload his ID and the last two income reports from his employer - standard practice in German apartment hunting,” Sumit tweeted.
It looks like his friend uploaded his ID card and income reports containing personal information such as name, employee number, employer name, signature, account number, employment, salary, and banking details.
The cybercriminals used these details to send a fax to the HR department requesting to change their payroll direct deposit account and send the paycheck to a different account which is owned by the fraudsters. No suspicions were raised because all the data provided by the scammer was legitimate which led the HR to successfully update the account and divert two paychecks to the fake account.
To avoid such type of scam attacks, Linton advises all organizations to evaluate their current processes for updating payroll details.
“If a two-factor online system is not being used, we recommend ensuring an element of human contact is established before completion of the request, in addition to checking that email address is from a legitimate source,” Linton said.
Publisher