The end of January marks the beginning of the push for some known scam techniques, but there also some new ones on the scene. Scammers are targeting organizations large and small, as well as individuals, attempting to steal money and/or information. Below are some of the more common scams that are being reported around the world.
This is the time of year when W-2’s are being issued to employees. A common scam method is to impersonate the CEO or other executive leader, requesting documentation on all employees to compare records. The targeted individuals at organizations would be staff level members associated with the HR and finance departments. The request often implies the inclusion of employee social security numbers in the report. Once the scammer receives the information, they begin to directly phish the employees and/or begin tax and/or identity fraud.
Organizations can combat this by: having strong awareness campaigns, which educate all of its people how to spot phishing emails; remove email as part of the workflow for the processing and sharing confidential information; require a secondary confirmation for the request of any type of confidential information.
Employees may be targeted, directly or indirectly, by impersonation emails that appear to come from their bank(s) or other financial institution; this includes credit card companies, benefit providers, and brokers. These emails are usually much simpler in nature. They either ask you to click a link that will take you to a page to confirm your username and password (sometimes the email will say that suspicious activity has been seen on your account). The link is not legitimate and is solely being used to harvest your credentials. Other forms of the emails will have an attachment or a link to “important documents.” These links often download malware, installing it on your computer. The possibilities of what the malware is and its purpose are too numerous to get into here.
Protect yourself by questioning any link or attachment you receive in an email, especially those that indicate their purpose is to “verify” your information. Call the company directly or manually go to the website, using information from your bill or back of your card.
All of these accounts should offer some form of 2FA, or dual-factor authentication. Set it up for all of your accounts. It isn’t a silver bullet, but greatly increases the protection of your account, if you were to accidentally provide your credentials. If your provider doesn’t offer this as an option for your accounts, you should consider moving your business elsewhere. In today’s security world, an organization that doesn’t offer the option of a 2FA is on the border of committing willful neglect.
HR and payroll departments are being targeted with a new scam. Fraudsters are sending emails and/or faxes that impersonate an employee; the request is to change the banking information on record for the direct deposit of “their” paycheck. If the change is made, the direct deposit goes straight to the account of thieves. It’s an effective scam since the organization sees the money as being deposited and many employees don’t follow-up on payday to confirm that their deposit has been made. There have been some instances where this scam has been successful for multiple pay cycles.
Organizations should treat employee and executive requests for changes in account information, either internally or to the individual, with the same procedures require a secondary confirmation method. Some instances of this scam have seen the organization absolve themselves of responsibility, since they made the payment according to information received. This was dependent on how the change was requested; the individual had been compromised and neglected to take proper action.
Another new scam, similar in nature to the one above, targets HR and payroll directly with “phantom employees.” Larger organizations, with offices and staff spread wide, are better targets for this one. HR and/or payroll receive a communication shortly after a payroll cycle that a recent new hire didn’t receive their direct deposit. The “new employee” is sure that it’s a mistake with paperwork and happily provides them with the information “again.” The individual is entered into the official record and payment is received through direct deposit regularly.
Again, the key here is for individuals to confirm through secondary confirmation. There should be reference to a supervisor and that supervisor should be able to confirm that the person in question was hired.
These are current, some new, some old with a new twist. That doesn’t take away from all of the ones that we know and love, that are still being perpetrated. The key is to remember basic fundamentals. The majority of fraud isn’t prevented by technologies, but by having strong policies and procedures in place. Secondary confirmations are one the simplest and most effective.