To prevent criminals from opening bank, utility and phone accounts in your name, you need more than a credit freeze. Here’s what to do.
Hackers are now out to reroute the direct deposit of your paycheck into accounts controlled by the cyber crooks.
So, take a little extra time to verify that your paycheck hit your bank account. And beware of any official-looking emails related to company surveys, too.
According to the latest alert from the FBI, cybercriminals have been targeting online payroll accounts at school districts, universities, hospitals and commercial airway transportation.
Yet scammers have been known to target all types of businesses using all types of payroll providers, according to a report last year in PYMTS.com.
In some cases, employers discover the payroll-related scam only when employees start complaining that they did not receive their money via direct deposit.
The FBI reportedly has observed an increase of such scams. In 2017, the FBI and the Internet Crime Complaint Center identified about 17 payroll-related scam cases.
As of July, though, about 47 payroll diversion cases — with losses totaling $1 million — had been reported.
The scam starts out with a phishing email that aims to trick someone into handing over an employee’s login credentials. Scammers will use social engineering to make emails look real, and they might appear to come from an address similar to a legitimate company account.
The credentials can then be used to access the employee’s payroll account in order to change the direct deposit. The crooks typically have that money directly deposited onto prepaid cards.
The crooks then use the prepaid bank cards to receive cash withdrawals from ATM machines. Or they may make purchases at gas stations, grocery stores, retail stores, fast food restaurants and wireless phone carrier providers.
Atlanta Public Schools, for example, had to reissue 27 paychecks last year after cyber thieves engineered a payroll attack, according to a report in the Atlanta Journal-Constitution. Scammers stole about $56,000 in payroll.
The FBI is warning employers to alert their staff about such schemes. Employees should not supply log-in credentials or personally identifying information in response to any email.
Some other tips:
- Log-in credentials used for payroll should be different from those used for other purposes, such as employee surveys.
- Companies should be on the lookout for employee log-ins that take place outside of normal business hours.
- Employers should direct employees to forward any suspicious requests for personal information to the information technology or human resources department.
We’ve warned in the past that scammers had been spoofing emails to pretend to be the CEO or some other top executive at the company and demanding a long list of W-2 files via PDF format. Immediately.
Your clever password may not be as safe as you think. Buzz60’s Sean Dowling has more.
Beware phishing emails, calls
The Internal Revenue Service issued an alert a few years ago to payroll and human resources professionals warning them to think twice about responding so quickly to the boss. Some of that information could be used to file fake tax returns to generate fraudulent tax refunds.
But this latest development is another warning on how we all have to once again watch out for phishing emails that could unleash information to be used divert paychecks to crooks.
Sometimes, according to payroll experts, this phishing email may request that an employee answer a brief survey and hit “confirm.” The problem is that the employee is then directed to enter their credentials in an online form to confirm their identity.
Authorities also noted that in some cases, cyber crooks might pick up the phone to call the employee resource hotline, provide the employee ID number and the last four digits of the Social Security number to reset a password, as part of the process to redirect the direct deposit.
No doubt, plenty of paychecks continue to be directly deposited into accounts without any problems. But the latest warning gives us reason not to take too much for granted any longer.
Contact Susan Tompor: firstname.lastname@example.org or 313-222-8876. Follow Susan on Twitter @Tompor.
There’s nothing more annoying than trying to log onto an account online and forgetting your password. First world problems, am I right? Susana Victoria Perez (@susana_vp) has more.
Read or Share this story: https://usat.ly/2I7BGbc