In another in the latest of dangerous email phishing scams, fraudsters are stealing electronic funds from employees who receive their pay through direct deposit. Employees who use a self-service portal to update their personal information, such as bank routing and account numbers, are particularly vulnerable to the scam.

Employers that pay wages using direct deposit should consider warning their employees about this threat.

How the scam works

The FBI warns employees that fraudsters impersonating their employers' human resources departments are directing them to a fake website to enter, update or confirm personally identifiable information that can be used to change their banking information in an effort to swipe their electronically paid wages.

Hackers reportedly have also accessed employees' e-mails to request a password change from their employers' payroll service provider, using those log-in credentials to change their direct deposit instructions. (Ogletree Deakins alert, January 30, 2018.)

News sources report that employees of public school districts in Colorado, Georgia, and Massachusetts have recently fallen victim to this scam costing employers thousands of dollars in replacement wages. (Wall Street Journal, Hackers target nation's schools, October 23, 2017.)

A representative of the National Automated Clearing House Association (NACHA) declined to comment on the matter, but directed interested persons to view its website for general information on electronic payment security.

Steps employers can take to protect the workforce

The FBI recommends the following steps be taken to help employees protect their personal banking information:

— Employers should warn employees to watch for phishing attacks and suspicious malware links. Employees should be directed to check the actual e-mail address, rather than just looking at the subject line to verify that the email came from their employer. Employees should also be told to not reply to any suspicious looking email; instead have them forward the email to a company security contact.

— Employer self-service platforms should have a two-step authentication process (such as what the?IRS now requires for all users of their online tools and applications). The FBI suggests requiring users to enter a second password that is e-mailed to them or to use a hard token code.

— Self-service platforms should alert administrators of unusual-looking changes, such as an employee changing banking information to a suspicious online bank, in order to stop fraudsters before they can steal the employee's paycheck.

— Companies may want to set a time delay between the changing of direct deposit information in the self-service portal and the actual deposit of funds into the new account to decrease the chance of the theft of wages.

IRS warns of another direct deposit scam involving tax refunds

The IRS also issued an alert about a new scam involving the theft of taxpayer refunds sent via direct deposit. The scam surfaced just days after the official start of the 2018 tax filing season. (IR-2018-17, February 2, 2018.)

In the new scam, cybercriminals that steal data from several tax practitioners' computers and file fraudulent tax returns are using taxpayers' real bank accounts for the direct deposit of the fraudulent federal tax refund. A woman posing as a debt collection agency official then contacted the taxpayers to say a refund was deposited in error and asked the taxpayers to forward the money to her.

In addition to seeking out cybersecurity experts to help better secure their data, the IRS recommends that the following basic steps be taken:

— Educate all employees generally about phishing and spear phishing (a more targeted form of phishing that appears to come from a trusted colleague or department, i.e., a human resources department) in particular.

— Use strong, unique passwords or a phrase instead of a word, composed of a mix of letters, numbers and special characters, for each circumstance or account.

— Never take an email from a familiar source at face value. If the email asks the receiver to open a link or attachment, or includes a threat to close their account, think twice.

— If an email contains a link, the IRS recommends that you hover your cursor over the link to see the web address (URL) destination. If it's not a recognized URL or if it's an abbreviated URL, don't open it.

— Contact the referenced individual or department by telephone to get a verbal confirmation that they are the sender of the email.

— Use security software to help defend against malware, viruses and known phishing sites and update the software automatically.

— Send suspicious tax-related phishing emails to?phishing@irs.gov.

Other resources

— The Federal Trade Commission (FTC) also provides information for companies on how to keep their employees' personal information secure. See their website for more information.

— The US Secret Service also takes an active role in safeguarding the payment and financial systems of the US from financial and computer-based crimes.?Employers that have fallen victim to these types of crimes may report them here.

———————————————

———————————————
ATTACHMENT

EY Payroll News Flash