Direct deposit phishing
A direct-deposit phishing scheme is aimed at employers that use self-service direct-deposit platforms. These platforms allow employees to manage their W-2 and payroll options, so the platforms contain personally identifiable information (PII) as well as direct-deposit banking data. The education sector is a popular target for this scam.
According to the FBI, the scam begins with a phishing campaign targeting individual employees. It’s a variation of sorts on the business email compromise, in which fraudsters impersonate a trusted person or a person of authority to get the victim to perform a certain action. This can include the trusted authority of the human resources department or an HR vendor. The email directs the employee to perform what may feel like a common transaction, like confirming a direct-deposit account, viewing changes to the account, etc.
The goal is to get you to reveal login credentials to the fraudster, who can then use those credentials to steal PII as well as redirect the employee’s deposit to another account. One of the first things the fraudster will do is change your contact email, so that you don't receive an alert.
Detecting direct-deposit scams are not much different from detecting other phishing emails:
- Spelling and grammatical errors.
- Urgent or unusual requests (often accompanied by something punitive, like an account lockout, that would result from inaction).
- Unusual or questionable sender’s address (if the email is signed, also a mismatch between the sender’s name in the email header and the name in the email itself).
- Embedded link that doesn’t match the displayed link.
- Misleading URL (sometimes it can be as subtle a deviation as a zero instead of letter o).
- Request for personal or sensitive information.
Preventing Direct-Deposit Phishing Scams
A few steps organizations can take to prevent direct-deposit phishing scams include:
- Implement two-step or multi-factor verification for HR/payroll platforms.
- Require IT, administrators, to monitor unusual activity, such as a large number of accounts having contact and banking info changed over a short period.
- Have a policy of temporarily reverting to a paper check after a change to banking information.
- Ensure payroll login credentials are different from credentials used for other purposes.
- Set up alerts on self-service platforms for administrators so that unusual activity may be caught before money is lost. Alerts may include for when banking information is changed to online bank accounts typically used by fraudsters.
- Alert employees about the scam.
- Train employees to watch for phishing attacks and suspicious malware links. Checking the actual e-mail address rather than just looking at the display name can be crucial to spotting the attack early.
- Set a time delay between when direct deposit information is changed in the self-service portal and the actual deposit of funds into the new account to decrease the chance of the theft of funds.