Phishing scams are targeting credit union human resources or payroll departments using a form of the C-suite business email compromise. The scam uses a phishing email – appearing to be from the CEO or another executive-level employee – sent to staff that manage HR or payroll functions. The email requests changes to an employee’s payroll direct deposit, which reroutes it to the fraudster’s account.
The IRS issued a warning about a phishing scam involving payroll direct deposits. Phishing emails from fraudsters are posing as a high-level credit union executives requesting payroll direct deposits be changed or rerouted to another financial institution. The scam is similar to the C-suite business email compromise which has increased 133% from 2017 to 2018 according to Beazley Breach Solutions.
Since the scam involves payroll, employees are more likely to act on impulse and react immediately to avoid having any pay disrupted. In some cases, fraudsters have spoofed the executive’s email. However, the fake emails have also been generated through free email services.
This phishing scam can have a devastating impact on staff and credit unions. It is unlikely the credit union can recover the funds once the ACH payroll file has been processed due to fraudsters quickly withdrawing the funds once deposited. Even though some transactions may be low dollar amounts, it is cheap and easy to execute leading experts to expect a steady increase in this method of phishing.
Consider these risk mitigation tips:
-Validate requests to change the destination of payroll direct deposits that are not made in person, such as call the individual making the request.
-Don’t accept these requests from employees’ personal email accounts.
-Use an [EXTERNAL] tag in the subject line of incoming emails sent from external email addresses.
-Watch for misspelled words or grammatical errors within emails – a common sign of a phishing email
-Hover the cursor over the sender’s email address to confirm the sender’s actual email address. Inspect for irregularities as this is a sign it could be spoofed.
-Require employees to complete an updated direct deposit authorization form
-Require a secondary internal approval for payroll changes
-Flag incoming emails that contain words such as “urgent” or “immediate”
-Remove lists of employees, title and email address from your credit union Web site as this can assist the fraudster in knowing the organizational structure
Risk Prevention Resources Access
CUNA Mutual Group’s Protection Resource Center at cunamutual.com for exclusive risk and compliance resources to assist with your loss control. The Protection Resource Center requires a User ID and password.