BEC scammers involved in diverting employee’s paycheck to an unauthorized account

  • BEC scammers are attempting to trick HR staff into changing employees’ direct deposit information to divert monthly salary to a fraudulent account.
  • These fraudsters carry out payroll diversion scams through social engineering techniques.

Business email compromise (BEC) scammers send a spoof email to the HR department requesting them to change direct deposit information and divert monthly salary paycheck to a fake account controlled by the scammers. These fraudsters carry out such payroll diversion scams through social engineering techniques.

How does this work?

  • The BEC scammers will first set up a temporary fake account with information of an individual whom they are attempting to impersonate.
  • They will then send an email to the HR department from the fake email account pretending to be an employee and requesting the HR to change their current payroll direct deposit account. The scammers will also enquire about the required process.
  • The HR will then ask for a voided check displaying the routing and account number.
  • This will not deter the scammer’s actions. They will carry out their social engineering tricks and will get it updated successfully.

“From this point, the threat actor will be thinking on their feet to a certain extent; their main aim is to avoid being directed to any online third-party HR solution that would require access details they do not possess,” James Linton of Agari explained in a blog.

“It should also be noted that the threat actors are not phased by being asked to provide a voided check displaying the new accounts details, and have successfully provided these when requested of them,” Linton wrote.

Real case scenario

Recently, an individual named Sumit Kumar described this type of scam on Twitter.

“It all started with a friend searching for an apartment on a German website. It all started with a friend searching for an apartment on german website @Immobilienscout. To verify his identity and income he had to upload his ID and the last two income reports from his employer - standard practice in German apartment hunting,” Sumit tweeted.

It looks like his friend uploaded his ID card and income reports containing personal information such as name, employee number, employer name, signature, account number, employment, salary, and banking details.

The cybercriminals used these details to send a fax to the HR department requesting to change their payroll direct deposit account and send the paycheck to a different account which is owned by the fraudsters. No suspicions were raised because all the data provided by the scammer was legitimate which led the HR to successfully update the account and divert two paychecks to the fake account.

To avoid such type of scam attacks, Linton advises all organizations to evaluate their current processes for updating payroll details.

“If a two-factor online system is not being used, we recommend ensuring an element of human contact is established before completion of the request, in addition to checking that email address is from a legitimate source,” Linton said.