Payroll phishing scams are a common scam that is low risk for fraudsters.

These fraudsters are generally in another country and they compromise either a work email account or any general email account, using a likeness of an employee to impersonate that employee and change their direct deposit information into a bank account they control.

 

Then, on payday, the employee checks their bank account and realizes that they haven’t received their money. That’s when then they usually are able to trace it back and find out that their direct deposit had been changed to a different bank account.

 

This happens when there are poor policies around changing your direct deposit, here are some tips to help up the security around the personal information your business may store for its employees:  

​​

• Have verification policies for direct deposit account changes. Require an email, known phone number on file or talk to the person directly.

• Use multi-factor authentication on email accounts. If an email username or password is compromised, the additional steps can make it difficult for a fraudster to get past.

• Remove public-facing email directories. If you have public-facing email directories, fraudsters can do a password spray or brute force on passwords. Often, people do not use a complex password so hackers can get into an email account.

 

 

Learn more about cybersecurity at Michigan.gov/mc3 and bbb.org.