The same digital revolution that’s ushered in an era of business innovation has been as much of a boon for the enterprising criminal set. Moreover, organizations know that this revolution has a price tag — data breaches are now part of doing business.

Many organizations, of course, are becoming better at protecting their corporate networks and their crown jewels, like customer and employee databases. However, hackers are no dummies either. They’re finding equally lucrative ways of targeting individuals directly, whether that’s employees or customers. However, the organizations are the ones paying the price just the same.

One relatively new way to bilk organizations of money is a direct-deposit phishing scheme, aimed at employers that use self-service direct-deposit platforms. These are platforms that allow employees to manage their W-2 and payroll options, so the platforms contain personally identifiable information (PII) as well as direct-deposit banking data.

The education sector has especially become a magnet for this scam. In one example, Atlanta Public Schools in Georgia reportedly ended up with more than $56,000 in payroll deposits stolen. The data of 6,000 district employees may have also been compromised, and the total cost to the district was estimated at $300,000.

Denver Public Schools in Colorado was another victim. At least 30 district employees reportedly clicked on a phishing email link, allowing scammers to change the routing numbers for their direct deposits. The theft totaled more than $40,000.

According to the FBI, the scam begins with a phishing campaign targeting individual employees. It’s a variation of sorts on the business email compromise (a.k.a. CEO fraud), in which malicious actors impersonate a trusted person or a person of authority to get the victim to perform a certain action.

In this case, the trusted authority is the human resources department or an HR vendor — and the ask looks legit enough. The email directs the employee to perform what may feel like a common transaction, like confirming a direct-deposit account, viewing changes to the account, etc.

The goal is to get the person to reveal login credentials to the fraudster, who can then use those credentials to steal PII as well as redirect the employee’s deposit to another account. Moreover, since fraudsters are experts at avoiding suspicion, one of the first things they do is change the contact email, so the victim doesn’t receive an alert.

How Can You Tell It’s a Scam?

Below is an excerpt from an actual direct-deposit phishing email sent to employees of a university, masquerading as a request from a well-known payroll-services vendor that the university was using.

“Dear Payee,

Please follow these steps to activate [name of vendor’s service platform]. The activation is recommended for all [vendor name] users and contains improvement to privacy, compatibility, and security.

  1. Click [link to platform login page]
  2. Enter your USER ID and PASSWORD
  3. Click Login, and you are done.”

At a quick glance, the email may not trigger a red flag — for one, it lacks the famously bad grammar that instantly gives away a phishing campaign.

However, the email did have a couple of telltale signs. The biggest was the sender’s Comcast email address. Unless this is being sent to Comcast employees or is for a Comcast service, no business worth its salt is going to use a Comcast email address. (Of course, the business email address can be spoofed or compromised too, so that by itself should never be used as a gauge.)

The first step in the instructions displayed the website address for the actual, authentic login for the vendor’s system. This is common in a phishing email, but the embedded URL instead redirects the person to a malicious website — often one that looks exactly like the expected link. The real URL can be revealed in many email apps by hovering over the embedded link.

The antenna should have gone up for a savvy user who stopped for a minute to consider the request. While everyone’s used to constantly updating apps for better security and compatibility, and there are always emails about privacy policy updates, activation of a service or platform is a one-time thing, and security/privacy/etc. Improvements done on the back end would not trigger reactivation or user account confirmation.

Detecting direct-deposit scams are not much different from detecting other phishing emails. Typical red flags, to name a few, include:

  • Spelling and grammatical errors
  • Urgent or unusual requests (often accompanied by something punitive, like an account lockout, that would result from inaction)
  • Unusual or questionable sender’s address (if the email is signed, also a mismatch between the sender’s name in the email header and the name in the email itself)
  • Embedded link that doesn’t match the displayed link
  • Misleading URL (sometimes it can be as subtle a deviation as a zero instead of letter o)
  • Request for personal or sensitive information

Preventing Direct-Deposit Phishing Scams

A few steps organizations can take to prevent direct-deposit phishing scams include:

  • Implement two-step or multifactor verification for HR/payroll platforms.
  • Require IT, administrators, to monitor unusual activity, such as a large number of accounts having contact and banking info changed over a short period.
  • Have a policy of temporarily reverting to a paper check after a change to banking information.
  • Ensure payroll login credentials are different from credentials used for other purposes.
  • Alert employees about the scam.

The best prevention, however, may be to manage the weakest link: the human factor.

“Employers must train their workforce to make smarter security decisions and create a human firewall as an effective last line of defense when security software fails, which it always will,” says Stu Sjouwerman, CEO of security awareness training company KnowBe4.

Ethical Hacking Training – Resources (InfoSec)

Specific to the direct-deposit scam, Sjouwerman suggests training employees to call the HR department to confirm the information before clicking on anything.

“Build out local steps they can take to verify activity, so anything unusual can be detected more easily,” he says.

He suggests steps such as sending out an HR announcement or notifications before requiring employees to make changes, as well as making employees aware of what kind of requests are not normal.

Experts recommend that employee education should cover aspects such as:

  • Common social engineering and phishing techniques
  • Basic cybersecurity hygiene
  • Strategies for identifying phishing attacks
  • Ways to safeguard personal and corporate information
  • Unsafe online behavior

Education is not the end-all solution, but it’s the best way to help employees keep their “spidey senses” sharp. Perhaps the best piece of advice organizations can give them is to stay vigilant, and if there’s any doubt, check directly with the source or with the IT department.

Sources:

FBI, “Building a Digital Defense Against PII

The Atlanta Journal Constitution, “Atlanta School Says Confidential Data for All Employees ‘Potentially Exposed'”

The Atlanta Journal Constitution, “APS to Spend $300,000 Responding to September Cyber Scam”

Georgia Southern University, “ADP Direct Deposit Scam”

FOX31 Denver, “Phishing Scam Diverts More than $40,000 from Denver Public Schools”

Ogletree Deakins, “Diverting Employees’ Payroll Direct Deposits: The Latest Wave of Phishing Scams”