Is your organization trained to combat cybercrime?
The FBI’s Internet Crime Complaint Center reports that Internet crime cost companies and individuals $2.7 billion in 2018. Business email compromise resulted in the highest losses at $1.2 billion. The second greatest threat was payroll diversion, at a cost of $100 million.
HR departments are high profile targets
The payroll diversion scam has been making a comeback in recent months, targeting the people responsible for making sure employees are paid on-time, every time. The IRS warns that direct deposit and wire transfer scams are becoming more prolific, to the point of bypassing even the most sophisticated technical controls. Companies and employees are being scammed out of thousands of dollars through a few simple targeted e-mails.
How does payroll fraud work?
Most companies use direct deposit to ensure employees are paid through a consistent, automated process that is set up when they join the company. Unless changes are requested, payroll is continually deposited into their accounts. Hackers are trying to exploit this system by digging up information on the HR department and sending targeted messages to HR personnel posing as high-level executives or employees who need assistance updating their information.
The messages typically use some sort of urgent wording and discourage the HR personnel from calling to follow-up on the request. Scammers have caught on to avoiding e-mail filters and are careful to ensure there are few misspellings or grammatical errors that would send them to spam.
The emails use spoofed addresses that don't require any hacking or technical skill on the scammer's part. They simply sign up for a fake email address using free services such as Gmail or Yahoo, using a known employee's name as the account holder. This makes the scam even harder to spot since HR personnel may not notice the full e-mail address and just recognize a familiar display name.
Once the direct deposit details have been updated, the next paycheck funnels straight into an account set up by the scammer and continues until the employee notices paychecks haven't been deposited.
Fighting Fraud with Education
Involving HR personnel in engaging, role-based security awareness training & educational programs is the most proven method to avoid falling for scams like this that are almost impossible to stop with technical security tools. Continual education and strict processes to require a follow-up phone call can foil even the most sophisticated social engineering attacks in many instances. Requiring all requests to come from verified company e-mail accounts can assist as well.
Reporting Cyber-crime & Fraud
Avoidance, education, and reporting are all key to stopping cybercrime in its tracks. If you've been a victim of an internet scam or hacking, it's important to file a complaint with the FBI's Internet Crime Complaint Center (IC3).
If you would like to launch a security awareness program at your company that does not require more manpower or cut into work time, look into the Phishgoggles Security Awareness Service. It is the only fully-managed, year-round phishing, training and performance-based educational service to elevate cybersecurity awareness and alertness.
No single service or technology can cover all of the potential entry points for ransomware, malware and other malicious viruses, so companies like ours bundle services that range from "if-you-do-nothing-else-you-better-have-these-basic-protections" to a comprehensive multi-layer package that seeks to stop hackers at every point where they can penetrate your IT systems. A security assessment is the first step to determine your most critical cybersecurity gaps. If your company must comply with NIST, HIPAA, PCI, GDPR or other cybersecurity requirements, a security risk assessment is mandatory.
For more information: https://summitbiztech.com/contact/