EXECUTIVE SUMMARY:

Hackers follow money, and payroll system theft is yet another avenue for cybercrime.

The FBI’s Internet Crime Complaint Center (IC3) reported that between Jan. 1st, 2018 and June 30th, 2019, cyber thieves used payroll diversion schemes to steal $8.3 million dollars. This was the cause of an 815% increase in direct deposit change requests during this period. While payroll fraud frequently targets finance, tax, payroll, and human resources employees, any business is susceptible to this hack.

Phishers use business email compromise (BEC) scams to target payroll and human services, gaining access to a company’s payroll system. One tactic is to get employees to willingly divulge personal or financial information to allow system access.

Social engineering strategies are also used with W-2 phishing and direct deposit scams which thrive in tax season. Cybercriminals target individual’s W-2 information, such as address, social security number, or name to file fraudulent tax returns or sell the data on the dark web.

Direct deposit scams use falsified employee emails to ask for changes or updates to direct deposit payroll information. If employers mistakenly reply, the hackers now have the bank account and routing information of the company.

Recommended measures to prevent payroll fraud include conducting regular audits and assessments, implementing email security measures, and increasing employee awareness about phishing and social engineering tactics.

To learn more about payroll fraud and how to prevent it, check out this article from HashedOut.