Before the Coronavirus outbreak, payroll scams were already increasing. Now, with bad guys seeing workers more dependent on getting paid on time, this type of phishing fraud is happening even more.
Here's what to watch out for if you're in charge of payroll at your company. Or if you're a worker signed up for direct deposit.
That Moment You Realize You Were Payroll Scammed
Let's imagine for a moment that you're a payroll accountant. One of your company's employees contacts you to say that they didn't receive their direct deposit paycheck last week.
You check records and see that the check was issued and inform the employee. They insist that their bank never received it.
Further investigation reveals an email was sent two weeks ago appearing to be from that employee's email address to accounting. The message states that the employee recently changed bank accounts and a direct deposit form is attached providing the employee's new account information for direct deposits to go to.
The employee states he never sent that email. Both the employee and payroll accountant realize they were the victims of a common threat known as a payroll spoofing scam.
The hacker successfully spoofed a real employee in order to have their check re-routed to a different bank--the final destination usually being some off-shore account in Europe or South America.
What is a Spoofed Email?
A spoofed email is when a hacker changes information in the header of an email, so that it appears to be coming from a different email address then it actually is. This is why accounting thought this employee's direct deposit information change was real.
When an email is spoofed, the employee's account might not even be further compromised. A closer look would reveal that the email was actually sent via the hacker's address.
This scam is common because spoofing an email is actually very easy to do. Mail servers can be set up to send from different domains. There are also websites that will let anyone send one-off emails using a different email address for free. The good thing is, both of these methods leave behind some clues--read below to learn the tell-tale signs of a spoofed email.
How Can Payroll Spoofing Scams Be Avoided?
Because an employee will not be aware if their email is being spoofed, the majority of the responsibility falls on accounting to verify all emails that include changes to an employee's payroll information.
Having a company-wide policy that any account changes must be verified with a phone call to the employee is a good policy to have.
Here are a couple of things that might give a spoofed email away.
1. Look for any misspellings or awkward language used in the email. If you know the sender, try and determine if the message is written in the tone and language that they commonly use.
2. Investigate the email header. Email headers contain detailed information about where a message started and how it was routed to you.
If you're using Gmail, click on the three vertical dots next to the reply arrow in the email. Select “Show Original.” A spoofed email would have a different address listed in the domain name and IP address in the “Received” field and in the validation results of the Received-SPF field.
For Exchange Online for Office 365, open the email and look in the top right corner of the message. Find the drop down menu arrow next to the "Reply all" button. Click on the arrow. When the menu opens, select "View message details" near the bottom of the menu.
If you think an email message might be spoofed, copy the header information and send it to your IT professional to analyze the details. Don't click any links, open any attachments, or take any requested actions until you can verify an email's authenticity.
Want better visibility and security of employee accounts? Check out our Cloud Security add-on for Microsoft 365.
It's just one of the advanced security options we offer our customers. First, our security team monitors suspicious logins from your employee accounts. Next, we scan the dark web to see what personal information about your employees is available for sale to hackers. Finally, we phish test all of your employees and let you know who is most vulnerable to phishing scams.
All of this additional peace of mind and monitoring for only $2 more per user with one of our standard agreements.
Interested in learning more about cloud security for your team? Contact us today.