When you hear the word “cyber-criminal” in conversation, your first instinct may be to reflect on images of masked hackers, coding computer viruses. But what if you were told that some of the biggest cybersecurity risks you face today aren’t rooted in stereotypical malware and spyware attacks, but rather deceptive tactics like payroll scams? With the abundance of personal information available online, cyber-criminals can easily impersonate victims to access sensitive data. While there are a variety of methods said scammers can use to ultimately lay claim to your hard-earned dollars, few are as cunning and inconspicuous as payroll scams.
Understanding Payroll Scams and Social Engineering
The Psychology Behind Social EngineeringSocial engineering involves using psychological manipulation to convince individuals to share sensitive information, like pay stubs or IRS forms, instead of relying on software-based attacks to breach an organization’s network. Criminals target untrained employees within the company. By using social media platforms, such as LinkedIn, cyber-criminals can carefully observe an organization from afar, identify team members, gather contact information and plan their attack.
Email Spoofing: Exploiting Trust Within OrganizationsAfter the identities of said team members have been established, the next step in most scammers’ playbooks is to spoof the email address of an employee. Now, for the sake of brevity, simply know that spoofing entails the creation of a fraudulent email address, where the sender’s name is altered to reflect an individual from within the organization. In return, when employees receive communication from a supposedly familiar source, they are less likely to question the authenticity of the email, increasing the chances they will respond to the solicitation. Take, for example, the forged email, found below. The scammer impersonates the CEO, exploiting the power dynamic within the organization. Tony, a finance team member, receives an urgent request to process an international payment from the fake CEO, who coincidentally claims to be out of the country at the time. Without questioning the source, Tony complies due to the desire to advance within the company.
Peer-to-Peer Payroll ScamsAlthough the aforementioned example pertains to a management-employee relationship, this isn’t to say that a similar con can’t be conducted using a peer-to-peer relationship. In fact, many of these unlawful criminal groups have found more success randomly targeting the worker bees of an organization, rather than that of its leadership team. By using the same email spoofing technique found in management-focused attacks, a cyber-criminal can use routine tricks to gain access to the finances of randomly selected employees. While there are quite a few methods scammers can use to complete this objective, by far the most effective approach pertains to the redirection of direct deposits. Rather than meagerly requesting for pay stubs or other salary-related documents, these types of attacks go straight for the source of income. As seen in the example below, the scammer deceitfully spoofs an email address, posing as a hard-working member of the organization. In the potential thief’s message, he or she reaches out to the payroll department and simply requests that they alter the employee’s direct deposit information to reflect a recent change in banking preferences. If the contacted individual from the payroll department happens to fall victim to this forged solicitation, the real individual’s next paycheck will be routed to the cyber-criminal’s bank account, ultimately costing the company thousands of dollars.
Becoming a Vigilant Communicator
The Importance of Vigilance in Payroll Scam PreventionBecause these payroll scams are based solely on persuasive communication, it is no longer a viable option for organizations to simply rely on basic antivirus software and firewalls. Unlike standard malware and spyware viruses, predicting where the next payroll-based attack will come from remains a difficult feat. Therefore, to effectively reduce the risks associated with these attacks, it is imperative that every individual from within an organization begin asking themselves how they can remain vigilant in all communication. Although this request may seem quite daunting at first, Rocket IT has some easy to follow guidelines to accomplish this task.
Key Guidelines for Staying Secure
- Slow down. Instead of rushing to respond to suspicious emails, take your time. Carefully read the content, check for grammatical errors, and consider your past interactions with the sender.
- Check the alias. Examine the sender’s email address by clicking on their name. If it’s from a domain outside of your organization’s network, be cautious.
- Call the sender. If you have doubts about an email’s authenticity, especially regarding financial matters, contact the supposed sender directly by phone to verify.
- Don’t click. Don’t click on any links or files in emails from unverified sources. By clicking these items, you openly invite the hacker to install viruses on your devices, which can lead to problems far worse than a payroll scam.
- Enable multi-factor authentication. Use multi-factor authentication to add an extra layer of security to your accounts. This helps protect your information even if your username and password are compromised. To learn more about multi-factor authentication, its benefits, and how to set it up, click here.
- Expect that all communication is fake. Simply put, take extreme caution opening all emails. If you are not expecting an email from an individual, there is a very high possibility that it is fraudulent.