Payroll scam: Fraudsters are targeting your employee’s paycheck
In some recent cases, several companies’ Human Resource departments received an email from one of their employees asking to help change their account information. Had they known about the latest scam out there, they would have realised that it wasn’t an employee asking for help. It was a fraudster attempting to steal an employee’s salary.
What is a payroll scam?
Payroll scams are committed by fraudsters who craft deceptive email messages, pretending to be a company employee. By employing well-crafted and seemingly genuine communication, they manipulate HR into altering an employee's banking details to an account under the fraudster's control. When the real employee does not receive their salary on payday and contacts HR, it is already too late and has resulted in an irrecoverable financial loss.
Variants of Payroll scam:
- Email hack: The fraudsters will hack into the private email account of your employee and send the request from the real email address, making it virtually impossible for HR to identify that it is a request from the fraudsters.
- Lookalike domain: The fraudsters will create a very similar email domain to confuse the HR department. For instance, can you spot the difference between firstname.lastname@example.org and email@example.com where one is written with an L and an I? Or between firstname.lastname@example.org or email@example.com where one is written with – between business and banking and the other one without?
- Spoof call: Most phones today have the caller ID function. However, it is possible for fraudsters to “spoof” the caller ID information. The fraudsters will call HR with a spoofed phone number of the employee after sending the fake request, making the recipient believe that they are already in contact with the real employee, thus a call-back procedure is unnecessary. That is exactly what the fraudster is aiming for. Always call back your employees on the pre-arranged number.
What precautions can you take?
- Educate HR and those who might be the targets of these types of phishing scams. For example, learn how to recognise phishing.
- Pick up the phone and verify the email with the employee. Do not use the phone number mentioned in the email. Use the phone number already available in your systems or the one that is publicly available.
- Require the employee to complete a written form in the office.
- Implement an online employee self-service portal on a secure platform for employees to independently manage their account information. This eliminates the need for HR to directly handle sensitive updates on behalf of employees.
Taking precautionary measures today to fortify the verification protocols for payroll adjustments is paramount. By providing basic guidelines and relevant knowledge to employees, companies can shield themselves against potential financial losses in the future.