How to Identify and Prevent Phishing Attacks Targeting Payroll Information

Although cybercriminals employ a range of phishing methods to attempt to gain access to a business’ sensitive data, one growing trend is payroll diversion fraud, which uses business email compromise (BEC) to redirect employee direct deposits to an account owned by the cybercriminal.

How to Identify and Prevent Phishing Attacks Targeting Payroll Information

In this article, we’ll explore the different phishing attacks your business and employees should be prepared for, and how to safeguard your business against payroll diversion scams that could lead to financial loss or reputational damage.

Overview of Phishing Scams & How They Work

The range of phishing scams cybercriminals use is ever-evolving, whether it’s “spear phishing” that targets individual employees (including payroll personnel), SMS attacks that contain links with malware, or “whaling” scams that generally target executives. In each case, cybercriminals use social engineering tactics that are meant to induce a sense of urgency or concern that leads to reactive behavior – clicking a link to address an apparent issue, surrendering sensitive information to help a fellow employee, etc.

Payroll diversion scams typically use business email compromise (BEC) to compel payroll personnel to change a real employee’s direct deposit information. Normally, this begins with the cybercriminal researching a business to locate a specific employee to mimic and a specific employee to contact within the payroll department. Once the cybercriminal creates a fake “lookalike” email address or hacks the business’ email domain to commandeer a real account, they send an email to payroll or HR requesting a change to their direct deposit information. 

Often, the subject line of the email is sensible and the full name of the actual employee is present. The content of the email is usually coherent and reasonable, but there will likely be a tone of urgency that suggests the need for swift action from the payroll employee. Whether the sender asks for a direct deposit change to be “effective immediately,” or they claim the update is “necessary to pay monthly bills” (or something similar), the cybercriminal’s end goal is to apply psychological pressure on the recipient so they make the request change reactively out of a sense of obligation, empathy, or concern.

Unfortunately, if a payroll employee then takes the steps necessary to divert funds to the new account, the funds that are deposited to the cybercriminal’s account will be promptly redirected to other accounts to prevent tracing.

Prevention Best Practices 

Fortunately, there are a range of tools and processes your business can use to prevent cybercriminals from conducting successful payroll phishing scams. 

First and foremost, employers should emphasize training, raising employee awareness, and instituting company policies regarding direct deposit updates and employee verification.

Your employees should be informed about the prevalence of payroll phishing scams, the tactics cybercriminals use, and how to report a suspicious email in the event that it breaches your security or anti-phishing software. Here are some potential points of emphasis to include in the training process:

  • Most payroll phishing attacks use email addresses that are similar to an actual employee’s address, but not an exact match. This should be an immediate red flag and launch employee verification protocols (multi-factor authentication, contacting IT, or otherwise).
  • Although many payroll phishing emails are reasonably well-written, if you notice any grammatical errors, misspellings, or other information that appears imprecise, this could be a cause for concern.
  • Any email that requests a direct deposit account change, login credentials, or sensitive employee information should be subject to greater scrutiny and shared with your business’ IT department unless employee verification has been successful.
  • Hover over any links (especially shortened links) to reveal the actual hyperlink address before clicking on any links, and never download an attachment unless the sender’s identity has been verified. Never enter sensitive information on a site without SSL credentials.
  • Cybercriminals often target users on public networks to gather login credentials, financial details and other information that could be used for a payroll phishing attack. Discuss using VPNs or mobile tethering/hotspots as an alternative to using public networks.

Even with this baseline training in place, your business should also institute clear policies on how to handle any requests for direct deposit changes. When a payroll deposit change is requested (by email or otherwise), your HR department should require multi-factor authentication (MFA) and other steps to confirm an employee’s identity before implementing the change. Your employees should also be clear about how to report a suspicious email, text, or potential phishing attack to the company IT department.

Of course, another essential step is to use updated malware, antivirus, anti-phishing and email security software. Each of these tools can help to cut off phishing attacks at the source by filtering out emails with malware attachments, obvious phishing content, suspicious links, etc. For additional tips on how to leverage software and training to keep your login credentials and other sensitive data secure, explore our related article.

Secure and Efficient Payroll with Workforce PayHub

Staying up to date with the software and best practices necessary to keep your payroll running safely and efficiently can be a demanding task. Workforce PayHub is here to help you learn all of the actionable steps you can take to mitigate risk, avoid phishing scams, and process payroll effortlessly for your business and employees. From multifactor authentication to encrypted software and trained HR experts who treat your business’ security as a top priority, we’re here to help you enjoy long-term peace of mind and a comprehensive payroll solution.

To receive the latest updates on HR best practices, labor law regulations, and other news that impacts Great Lakes businesses, subscribe to our newsletter.

Eric Jones
Tips for Keeping Your Login Secure No Phishing, Please
We're Ready To Talk Payroll