The end of winter marks the beginning of the push for some known scam techniques, but there are also some new ones on the scene. Scammers are targeting organizations large and small, as well as individuals, attempting to steal money and/or information. Below are some of the more common scams that are being reported around the world.
At the time of year when W-2's are being issued to employees, a common scam method is to impersonate the CEO or other executive leader, requesting documentation on all employees to compare records. The targeted individuals at organizations would be staff level members associated with the HR and finance departments. The request often implies the inclusion of employee social security numbers in the report. Once the scammers receive the information, they begin to directly phish the employees and/or begin tax and/or identity fraud.
Organizations can combat this by: having strong awareness campaigns, which educate all of its people on how to spot phishing emails; removing email as part of the workflow for the processing and sharing of confidential information; and requiring a secondary confirmation for the request of any type of confidential information.
Employees may be targeted, directly or indirectly, by impersonation emails that appear to come from their bank(s) or other financial institution; this includes credit card companies, benefit providers, and brokers. These emails are usually much simpler in nature. They may ask you to click a link that will take you to a page to confirm your username and password (sometimes the email will say that suspicious activity has been seen on your account). The link is not legitimate and is solely being used to harvest your credentials. Other forms of the emails will have an attachment or a link to “important documents.” These links often download malware, installing it on your computer. The possibilities of what the malware is and its purpose are quite numerous.
A recipient can protect him or herself by questioning any link or attachment received in an email, especially those that indicate their purpose is to “verify” your information. Call the company directly or manually go to the website, using information from your bill or back of your card.
All of these accounts should offer some form of 2FA, or dual-factor authentication. It should be set up for all accounts. It isn't a silver bullet, but greatly increases the protection of an account, if you were to accidentally provide your credentials. If your provider doesn't offer this as an option for your accounts, you should consider moving your business elsewhere. In today's security world, an organization that doesn't offer the option of a 2FA is on the border of committing willful neglect.
HR and payroll departments are being targeted with a new scam. Fraudsters are sending emails and/or faxes that impersonate an employee; the request is to change the banking information on record for the direct deposit of “their” paycheck. If the change is made, the direct deposit goes straight to the account of thieves. It's an effective scam since the organization sees the money as being deposited, and many employees don't follow-up on payday to confirm that their deposit has been made. There have been some instances where this scam has been successful for multiple pay cycles.
Organizations should treat employee and executive requests for changes in account information, either internally or to the individual, with the same procedures, requiring a secondary confirmation method. Some instances of this scam have seen the organization absolve itself of responsibility, since it made the payment according to information received. This was dependent on how the change was requested; the individual had been compromised and neglected to take proper action.
Another new scam, similar in nature to the one above, targets HR and payroll directly with “phantom employees.” Larger organizations, with offices and staff spread wide, are better targets for this one. HR and/or payroll receive a communication shortly after a payroll cycle that a recent new hire didn't receive his or her direct deposit. The “new employee” is sure that it's a mistake with paperwork and happily provides the information “again.” The individual is entered into the official record and payment is received through direct deposit regularly.
Again, the key here is for individuals to confirm through secondary confirmation. There should be reference to a supervisor, and that supervisor should be able to confirm that the person in question was hired.
These are current, some new, some old with a new twist. That doesn't take away from all of the ones that we know that are still being perpetrated. The key is to remember basic fundamentals. The majority of fraud isn't prevented by technologies, but by having strong policies and procedures in place. Secondary confirmations are one of the simplest and most effective.
For more information, contact Karl Kispert, Principal of Cyber & Information Security, at email@example.com or 212.223.5037 or Tom Pioreck, Security Supervisor, at Tpioreck@grassicpas.com. or 212.223.5007.
This blog is by Karl Kispert (pictured), Principal of Cyber & Information Security, at the New York City office of the CPA firm of Grassi & Co.