Skip to main content
Phishing

Direct Deposit Scams: Don’t Get Fooled!

By April 15, 2020No Comments

A direct deposit scam is a type of business email compromise or email account compromise (BEC/EAC) scheme. Widely prevalent, these scams affect industries in all sectors. In fact, in 2019, the FBI’s Internet Crime Complaint Center (IC3) received 23,775 reports of BEC/EAC scams with adjusted losses of $1.7 billion. Notably, according to the report there was also a dramatic uptick in direct deposit BEC/EAC scams. Clearly, this is a scam that organizations need to be aware of.

Does your company use direct deposit for payroll? Because of the savings associated with direct deposit many companies do. As an employee, I love the convenience of direct deposit. It gives me quick access to my paycheck as well as the convenience of skipping the ATM and/or bank queue. And, for me that’s a huge plus while coping with the coronavirus pandemic. However, in view of the FBI’s findings, organizations need to take this scam seriously and implement security strategies to protect themselves. In this month’s blog, we’ll examine how direct deposit scams work, what to do if you’ve been scammed, and how to protect your company from direct deposit scams.

direct deposit scams

How Direct Deposit Scams Work

This type of scheme uses social engineering tactics, such as impersonation and manipulation. As seen in previous versions of direct deposit scams, cybercriminals would pose as Human Resource (HR) staff and contact employees seeking payroll information via phishing emails. However, in the newest variation, bad actors have reversed roles. Now, they are posing as the employees. And typically, high value employees such as the CEO or CFO. They then contact HR staff via email, requesting changes to their direct deposit information.

What makes this scam so dangerous? First, in this new variation, the emails easily bypass technical controls for malicious communications. Why is this so? Because the phishing emails contain no request for money, no glaring spelling mistakes, and they’re short and friendly. I’ll talk more on this later. Additionally, bad actors are using free email services such as Gmail. They simply create a new account using the employee’s name. By doing so they circumvent tools designed to detect hacking attempts on employee email.

Second, the phishing emails manipulate emotions. The bad actor crafts the email specifically to create a sense of urgency. For example, posing as the CEO, the cybercriminal may request a change to their direct deposit information that must happen before the processing of the next payroll. If the HR employee replies and offers to help, the bad actor sends new bank routing information. The paycheck is then deposited in the cybercriminal’s account. As a result, the employee is stuck waiting for a replacement paycheck, the company is liable for the stolen funds, and the bad actor gets money for nothing. A bad scenario by anyone’s definition.

What the Emails Look Like

Are you curious what these emails look like? Here’s a couple of examples of direct deposit phishing emails sent to Brown University.

Direct Deposit Scams

Screen shot from Brown University

direct deposit scams

Screen shot from Brown University

What to do if You’ve Been Scammed

What should you do if your company has been scammed? It’s important to react promptly and purposefully. The FBI’s Internet Crime Complaint Center recommends taking these actions:

  • Promptly contact the originating financial institution as soon as the scam is detected. Request a recall or reversal. As well as a Hold Harmless Letter or Letter of Indemnity.
  • File a complaint with the FBI’s Internet Crime Complaint Center (https://www.ic3.gov/default.aspx). Be sure to enter all the required data.

Nobody wants to experience the anxiety, frustration, and financial loss from direct deposit scams. So, as an organization, take steps to strengthen your security posture. What can you do? Security training that focuses on the human element is a must!

Protect Your Organization from Direct Deposit Scams

To protect your organization from direct deposit scams as well as other cybercrimes, intrusion detection systems, firewalls and other devices to monitor your network are important. However, it’s absolutely vital not to overlook the human element in your security strategy. For instance, in direct deposit scams, cybercriminals target people, not networks. Which brings me back to an earlier point. In these recent direct deposit scams,  bad actors are crafting emails that bypass technical controls. Clearly, training employees to understand and recognize malicious social engineering tactics is important. To that end, we recommend a Social Engineering Risk Assessment. Your organization will receive expert analysis of your potential risk, enabling you to plan, educate, and prepare for a social engineering attack.

Implementing phishing training such as Phishing as a Service®  (PHaaS®) is also a must. PHaaS® training raises employee awareness and provides education. It also gives your organization a continuous repeatable process for accessing phishing risks.

Best Practices

As millions transition to working remotely because of the coronavirus, here’s a few basic best practices mentioned in the Social-Engineer.org April Newsletter  that can strengthen your organization’s security:

  • Don’t click on or download anything unless it is from a verified sender. Not sure? Call your fellow employee to verify.
  • Be vigilant to what information you give over the phone, remember it’s ok to say no to requests that make you feel uncomfortable.
  • Lock your computer – especially if you work in a shared space.
  • Tech support scammers are targeting remote workers. Use caution before clicking on pop-up windows saying there is a security issue on your computer, or that operating systems need to be updated.
  • Maintain communication – don’t let your remote location make you lose communication with your fellow employees and employer. Staying in the loop makes you less likely to fall for a scam.

Don’t Get Fooled

As cybercriminals adapt and create new twists to old scams, we must adopt and adapt new security strategies as well. Now’s the time to implement security training that includes the human element! Social-Engineer, LLC can help!

Sources:
https://pdf.ic3.gov/2019_IC3Report.pdf/
http://www.www.social-engineer.com/
https://it.brown.edu/alerts/read/request-change-direct-deposit-information
http://www.www.social-engineer.com/services/
https://www.cnbc.com/2019/04/09/new-wire-fraud-scam-targets-your-direct-deposit-info-paycheck.html
https://www.ic3.gov/default.aspx
http://www.www.social-engineer.com/social-engineering-risk-assessment/
http://www.www.social-engineer.com/phishing-as-a-service-phaas/

Image:
https://its.uiowa.edu/news/it-security-office-warns-work-home-schemes

Tags:

Security Assessment Case Study
Learn more about the importance of a Social Engineering Risk Assessment.
Download Now
Security Assessment Case Study
Learn more about the importance of a Social Engineering Risk Assessment.
Download Now
What Makes Us Different
At Social-Engineer, we pride ourselves on what we do and how we do it. We are a security services provider, focusing on four primary attack vectors. This case study will go through how we can protect your company and what makes us different.
Download Now
What Makes Us Different
At Social-Engineer, we pride ourselves on what we do and how we do it. We are a security services provider, focusing on four primary attack vectors. This case study will go through how we can protect your company and what makes us different.
Download Now
Woman vs Machine
Technology is providing new, more innovative ways to enhance our world. Scientists are constantly developing smarter, faster and more intelligent machines, systems and robots. There is no doubt that each of these has evolved beyond their clockwork origins.
Download Now
Woman vs Machine
Technology is providing new, more innovative ways to enhance our world. Scientists are constantly developing smarter, faster and more intelligent machines, systems and robots. There is no doubt that each of these has evolved beyond their clockwork origins.
Download Now
Vishing and Phishing Must Be Ongoing to Be Effective
Most companies have a security awareness program in one form or another. If they don’t, it should be on the short list of programs to start as soon as possible. In our experience, many of these programs take the form of computer-based training.
Download Now
Vishing and Phishing Must Be Ongoing to Be Effective
Most companies have a security awareness program in one form or another. If they don’t, it should be on the short list of programs to start as soon as possible. In our experience, many of these programs take the form of computer-based training.
Download Now
A Case Study in Vishing
Vishing (voice-based phishing) has been a problem for quite a long time. There are many vendors in the marketplace that offer vishing services. However they tend to use robo-callers or call centers for large volume engagements. If they are using trained humans to make calls, it is likely in very low numbers.
Download Now
A Case Study in Vishing
Vishing (voice-based phishing) has been a problem for quite a long time. There are many vendors in the marketplace that offer vishing services. However they tend to use robo-callers or call centers for large volume engagements. If they are using trained humans to make calls, it is likely in very low numbers.
Download Now
Benefits of a Social-Engineering Risk Assessment Engagement
Your company is important. Indeed, the data you hold for your clients or employees is very valuable and attackers seek to capitalize on that data any way they can. This is where a Social Engineering Risk Assessment (SERA) engagement can help uncover possible vulnerability to attackers.
Download Now
Benefits of a Social-Engineering Risk Assessment Engagement
Your company is important. Indeed, the data you hold for your clients or employees is very valuable and attackers seek to capitalize on that data any way they can. This is where a Social Engineering Risk Assessment (SERA) engagement can help uncover possible vulnerability to attackers.
Download Now
The Business Value of the Social-Engineer Phishing Service
Cybercriminals are targeting the human element of organizations. Additionally, they are developing techniques to use an organization’s employees as the first point of entry. According to the 2021 Verizon DBIR report, of the 3,841 security breaches reported using social engineering, phishing was the key vector for over 80% of them.
Download Now
The Business Value of the Social-Engineer Phishing Service
Cybercriminals are targeting the human element of organizations. Additionally, they are developing techniques to use an organization’s employees as the first point of entry. According to the 2021 Verizon DBIR report, of the 3,841 security breaches reported using social engineering, phishing was the key vector for over 80% of them.
Download Now