Email Security Blog

New Trend Sees BEC Gangs Focus on Executives for Payroll Diversion Scams

James Linton January 15, 2019 BEC
Payroll

Human resources departments are the epitome of task ownership, carefully and efficiently connecting an organization’s needs with that of its employees. Employees in HR are tasked with recruitment, onboarding, and employee relations, and oftentimes handle payroll and benefits. Because of their wide reach, threat actors are now turning their attention to this organizational pipeline as they continue to evolve their employee-to-employee attack vectors.

The Agari Cyber Intelligence Division (ACID) has recently observed a considerable increase in attempts to divert payroll through the use of social engineering techniques. These criminal gangs have invested a great deal of resources into researching and establishing organizational hierarchies, and are undoubtedly looking to secure a return on that investment, even if a previous attempt at business email compromise has proven unsuccessful.

Assuming the identity of the CEO seems to be the preferred tactic for the threat actors, but there is no reason that this type of payroll fraud attack cannot utilize the identity and role of any employee within a company. As the primary aim is to divert a monthly salary payment to a bank account the criminal gang controls, it’s logical they would ideally purport to be those most likely to receive the highest compensation.

Like what happens in most other business email compromise attacks, these adversaries set up a temporary email account and switch the display name to the name of the individual they are attempting to impersonate. Once the fraudulent account has been created, an email is sent to someone within the payroll organization—typically within the finance or human resources departments.

In this initial email, the attacker requests to make a change to their existing payroll direct deposit account details and asks what is required to process the change.

payroll scam example

From this point, the threat actor will be thinking on their feet to a certain extent; their main aim is to avoid being directed to any online third-party HR solution that would require access details they do not possess. Knowing this, any attempts to add undue urgency or absolve themselves of the ability to complete the usual process should immediately trigger a red flag. It should also be noted that the threat actors are not phased by being asked to provide a voided check displaying the new accounts details, and have successfully provided these when requested of them.

payroll scam example 2

By avoiding third-party systems and asking for help from the human resources employee, the threat actor can control the entire situation and successfully divert pay into the fake account they own. Depending on how the real employee checks their bank account, this scheme can continue for weeks, or even months, before the attack is caught.

Overall, we advise all organizations—large and small—to evaluate their current processes for updating payroll details. If a two-factor online system is not being used, we recommend ensuring an element of human contact is established before completion of the request, in addition to checking that email address is from a legitimate source. As with all email attacks, one can never be too careful.

Leave a Reply

Your email will not be published. All fields are required.

Agari Blog Image

July 7, 2020 Crane Hassold

Cosmic Lynx: A Russian Threat Hits the BEC Scene

“At some point, Russian and Eastern European cybercriminals are going to start thinking to themselves,…

Agari Blog Image

June 30, 2020 Michael Paiko

Agari Summer '20 Release: CISOs Gain Unique Threat Intel to Their Organizations

With business email compromise (BEC) scams up sharply amid the coronavirus pandemic, CISOs have been…

Agari Blog Image

June 22, 2020 Michael Paiko

Forrester: Agari Phishing Defense™ Works a 97% ROI Over Three Years

A new Total Economic Impact (TEI) Study from Forrester finds that Agari Phishing Defense™ (APD)…

Agari Blog Image

May 29, 2020 Ronnie Tokazowski

Business Email Compromise (BEC): W2 Scams Make an Unexpected Comeback in 2020

After barely registering a pulse last year, W2-based business email compromise (BEC) scams are back…

Agari Blog Image

May 19, 2020 Crane Hassold

Scattered Canary Cybercrime Ring Exploits the COVID-19 Pandemic with Fraudulent Unemployment and CARES Act Claims

Recently, news broke about how a sophisticated Nigerian cybercriminal organization has been committing mass unemployment…

mobile image