Written by Terence Shanahan, Vice President BSA/Security Officer
Cybercriminals are getting more and more crafty; they have new tactics and tools to help them commit fraud against unsuspecting businesses both large and small. Fraudsters are looking for weaknesses in your systems – looking to steal employee identities, divert funds from payroll, and reroute bill payments to phantom accounts. Very often, financial fraud can go on for weeks, months – even years – before they are noticed. And when you go back to recover your funds, they are long gone.
So it’s important to be aware of the scams up front, and put steps in place to avoid falling victim to them.
One of the biggest tools fraudsters use to attack billing and payroll departments is a “spoof” email address. It’s possible to pose as another entity and even have a reply to address that seems reasonable. Gone are the days where strange email addresses were the first signs that something was fishy.
Now fraudsters can contact your billing or payroll department with a spoofed email address, and “supply new payment information” to have your payments sent to their accounts, rather than the vendor they are posing as.
It works like this: You get a note from your vendor supplying new automatic payment information – asking you to “please update our account with these new banking numbers.” It’s not an unusual request so the information gets changed in your system. Bills are paid as usual, but after a few months, your vendor calls demanding payment for delinquent bills. You realize you’ve been had, and it’s too late to correct the mistake. The money is gone. And you still owe your vendor.
The easiest and best way to prevent falling victim to this is to call your vendor whenever you receive a change in payment information to confirm. And don’t use a number attached to the email – that’s likely a fake number too!
Fraudsters often go even further, posing as vendors “correcting” payments you’ve already made, and demanding payment be sent immediately to their “new” account. Urgency is another tactic they use; they try to get you to act before you think.
Payroll departments can also fall victim to similar scams, this time involving company staffers. It works the same as the billing scam, only now HR or payroll gets an email (“spoofed” from inside the company email system, of course) from an “employee” asking to change direct deposit info. Fraudsters have often even filled out the correct form because it was available for download on the company website. Again, this seems like a normal request, and the proper form can really cement the supposed authenticity of the request. For this, of course, caution is the best way to avoid problems; check with the employee to make sure they made this request.
Another situation in which “urgency” can get in the way of thinking things through: an HR person gets an email (again, “spoofed”) from a higher up in the company requesting a detailed headcount for a meeting in a few hours. The short notice is key; there’s a tendency to provide everything in hopes of leaving something out. Now the fraudster not only has names and addresses of employees – they may also have salary figures, social security numbers, and more. This is a bonanza for fraudsters engaged in identity fraud.
It’s no surprise that fraudsters and identity thieves attack payroll and billing departments – that’s where the money is! But there are a few simple rules of thumb to prevent most of the attempted attacks that come your way.
First, be aware of “spoofing” and how it can make incoming and even outgoing email addresses appear legitimate. Double checking with a trusted source (the vendor or the employee, for example) before re-routing payments is a solid line of defense.
Second, pay attention to whether payments have gone through in a timely manner. Waiting for the news to come to you is a surefire way to be left holding the bag long after the missing money is long gone.
Third, don’t fall for “urgency” in making changes, paying bills or providing information. It only takes a few minutes to double check a request, so if the request is legitimate there will be very little delay.
Online billing and payroll fraud – left undetected – can wreak havoc on finances, especially those of a smaller-sized business. We encourage you to take the proper precautions to avoid these situations.