Requesting employee banking information changes is a common type of fraud nowadays. Unfortunately any company, regardless of it's size or industry, is at risk of being attacked by scam artists.
The criminals will often use tactics that will make their requests appear valid, and if successful - will result in financial losses for your company.
This particular scam involves a criminal masquerading as an employee who wants their banking information to be changed to a new bank, transit and account number. The scammer’s goal is to obtain your direct deposit bank account information. They then use that information to redirect your employee's pay into a different bank account that they can access. In case the payroll or finance department acts on a fraudulent claim, the result would be getting the legitimate employee's next pay deposited to the criminal's bank account.
Employers may first become aware of this scam when employees start complaining that their pay is missing, at which time the money is already gone.
What can you do to protect your organization?
Before acting on any requests of such nature, be sure to confirm the identity of the person making the request. This can be done in a number of ways, including speaking with them in person, on the phone, or emailing them directly in a different email (replying to the email requesting banking information changes is not recommended as the originating email could belong to the scammers).
There are other things that small businesses can do to detect and avoid a fraud:
- Hover the cursor over the sender’s email address, which should bring up a “mouseover” box containing the sender’s actual email address. Inspect it for irregularities that could signal signs of spoofing.
- Use email’s “forward” feature rather than “reply.” “Forward” forces the user to type in a known and trusted email address, whereas “reply” will respond directly to the phisher.
- In a suspected phish, do not click links or respond to a text message requesting personal or financial information like credit card numbers, Social Security numbers or other banking information. It is best practice to contact the company directly by typing in a known URL address into your Internet browser and not use information contained in the suspect email/text.
- Do not open attachments in a suspected phish. Do not call phone numbers contained in a suspected phish.
An important note is that any company is vulnerable to this scam regardless of the way they protect their payroll, as criminals are elaborate in the ways they are able to take advantage of an unsuspecting recipient of the above mentioned requests.
Original source: www.ipayables.com/category/news-blog