Phishing scams have been around since the Internet began, tricking people into giving away sensitive information or money to fraudsters cloaked as goodwill citizens or someone from work, even. But, now, with the advent of social media and personal data being more readily available, fraudulent activity is seeing more sophisticated methods come alive.
In a new phishing method, scammers are devastating businesses by infiltrating their payroll systems that the IRS warned about late last year. The fraud is growing because it easily bypasses existing technical controls while taking small sums of money that aren’t large enough to notice at a time or may even be folded into the cost of doing business.
Faking It to Make It
Executed through a series of emails, the phishing scam aims to gain direct deposit information from banks and businesses in order to gain access to funds or hold the information ransom for even more money.
The emails look legitimate at first glance, and come usually twice or three times a month to selected targets’ inboxes. The goal is to reroute an employee’s paycheck by direct deposit. The scammer behind the fraud is trying to convince someone in human resources, usually, to change the bank account and routing information the employee has on their file and once routed to a criminal’s account, the company is responsible for replacing stolen funds, which delays the employee’s paycheck.
The fake emails are usually well written and professional, lacking misspellings, grammar mistakes, and exclamation points that usually get detected by software, which then would flag it as spam.
The scam doesn’t only deal with email controls, it also bypasses warnings companies may already have in place that go out to their employees notifying them about wire fraud. Scammers aren’t asking for money or an invoice transfer. Instead, they’re asking to change a bank account number, which then directs the money to them for the next paycheck cycle.
Fighting Back
To combat the threat, there is a focus to train people on the fact that a higher-up, like a CFO or CEO, would never arbitrarily email someone in payroll or HR about redirecting a direct deposit number. Higher-ups are typically the personality that scammers take on, trying to convince the person they email that their request is of utter importance.
If someone receives an email, they should automatically call that person to check and see if they really did make that request. In fact, any request of this kind should be confirmed in multiple ways. There is also what’s known as natural language processing, which analyzes the language used in incoming emails to test for urgency. From there, any suspicious emails are flagged as suspicious, especially if they’re coming in from new email addresses.
For banks, having a level of protection to financially and reputationally protect themselves is important, such as insurance for banks. Options such as cyber liability are available to protect a bank following a scam of any kind and any size. Insurance for banks can help a financial institution in the wake of a scam like this, providing the financial cover of whatever was lost and helping with additional services, including working with authorities and patching an IT system back up afterward.
About Financial Guaranty Insurance Brokers
Since 1983, Financial Guaranty Insurance Brokers has distinguished itself as a provider of Professional Liability, Cyber Liability, and Crime insurance products for entities of all types. To receive timely, personalized service from a knowledgeable and experienced staff, call us today at (626) 793-3330 to speak with one of our professionals.