Did That Employee REALLY Just Provide New Direct Deposit Info?
Three weeks ago, the person who processes payroll for your organization received an email explaining someone on your team needed to update their direct deposit info. That info was updated in your accounting/payroll system and life moved on. Today, that same person is asking you why they haven’t been paid for the past two pay periods. This is a scenario we’ve seen organizations run into numerous times.
After some digging, you find the email from three weeks ago appears legitimate (it’s addressed to the correct person, it appears to be from the correct email address, the signature block is identical to your company’s standard, there are no glaring grammatical errors, etc.). So, on one hand you have what appears to be a legitimate email request to update direct deposit information and on the other an employee who claims to have not been paid. What gives?
Well, our team has seen several variations of this conundrum, but one is the email was in fact sent from the now unpaid employee’s email account, but not by the actual employee. In other words, a malicious actor gained access to the employee’s email account, determined who the payroll contact for the company was by either looking at your website or digging through past emails, copied the employee’s email signature, mimicked the employee’s writing style based on other sent emails, and made the request.
Aside from addressing the vulnerability of having an email account become compromised, what are you and your organization doing to make sure everyone on your team is aware of these types of scams? Does everyone know that banking account information should NEVER be sent via plain text email? Does accounting/HR know to ALWAYS confirm updates to direct deposit info in person or via a phone call that includes some sort of verification process?
Sometimes this scam is enacted by what’s called email spoofing (a scenario where the malicious actor doesn’t really have/need access to one of your organization’s email accounts, but instead makes the email appear to be from a legitimate address). Does everyone on your team understand what email spoofing is, and do they know what to look out for? Are you testing your employees with email phishing campaigns to know which employees are your weakest links?
These are all things our team can help you think through and mitigate, so please, reach out to begin (or continue) that conversation.
All the Best,
The EON Team