Protecting Your Organization from BEC Payroll Diversion Scams

What is BEC Payroll Diversion?

Payroll diversion is a type of business email compromise (BEC) attack that occurs when a scammer successfully manipulates payroll credentials in order to defer direct deposit payments to a fraudulent account. While vulnerabilities in payroll software pose a risk, the most common method for scammers is to use social engineering and business email compromise (BEC) tactics to impersonate employees, HR and finance departments, and payroll vendors. These payroll scams have become a top lure for attackers, as the payoff is substantial.

Payroll fraud is a long-standing problem, so it’s not surprising that thieves have added BEC attacks to their arsenal. According to the Association of Certified Fraud Examiners, payroll fraud occurs in 14.2% of small businesses (<100 employees) and 7.6% of large businesses (>100 employees). 39% of these payroll schemes were in the Services (professional) industry and government. On average, payroll schemes go undetected for 24 months with an average loss of $2,600 per month.

How Do BEC Payroll Diversion Scams Work?

Focused research and extensive social engineering are keys to a scammer’s success. These attackers are impersonating real employees in their familiar tone and communication style, while correctly identifying and deceiving appropriate representatives in HR or accounting. Scammers are continuously refining their skills in mimicking the look, tone, and conversant nature of employees’ communications.

Similar to other BEC scams, fraudsters build a profile using social engineering and phishing tactics, often with information gathered from the company website, LinkedIn, and social media sites. They may steal an employee’s login details and use their legitimate email account or impersonate the employee email account that looks almost identical.

To make matters worse, the arrival of AI learning models like ChatGPT are a force multiplier for enabling the bad actors to create very compelling content (see: “Why Is ChatBPT a Potentially Dangerous Tool for Cybercriminals”)

Once attackers compromise an email account, they can email the organization’s payroll, finance, or human resources department with new routing and bank account numbers directing future payments to an account owned by the attacker. These credentials direct funds to pre-paid cards or to bank accounts that are quickly re-dispersed to eliminate any chance of payment reversal.

BEC Security Tips to Avoid Payroll Diversion Scams

The best way to avoid payroll diversion scams is to continuously educate your staff at all levels about payroll diversion (and other BEC) tactics. While the HR and payroll representatives are the key to a successful scam, all employees are at risk of having their income diverted.

• Don’t accept changes to direct deposit credentials through email. The FBI reports that direct deposit change requests increased more than 815% in 1.5 years, making it challenging but imperative to carefully monitor each instance.
  
  
• Follow standard checks-and-balances processes by separating responsibilities so that those making changes to payroll information (such as direct deposit account details) are different from those approving and verifying those changes.
  
  
• Watch for anomalies in employee behavior, such as logins occurring outside of typical business hours or multiple change requests in a short period of time.
  
  
• Carefully inspect emails, particularly those that request significant changes, for any peculiarities in the sender’s email address, reply-to address, links, tone/grammar, unusual urgency, and other details for legitimacy.
  
  
• Instruct all staff to forward suspicious requests for personal information to the information technology or human resources department.
  
  
• Establish a process where employee log-in credentials used for payroll purposes differ from those used for other purposes and require multi-factor authentication.
  
  
• Augment your existing email security stack with a BEC security solution that makes use of artificial intelligence to catch emerging, sophisticated attacks.

Protect Against Payroll Diversion Fraud with BEC Security Solutions from IRONSCALES