FBI Warns Employers About Phishing E-mails Targeting Payroll

Employers should be on the alert for e-mail phishing scams that target their online payroll accounts, the Federal Bureau of Investigation (FBI) warned recently.

Source: Abscent84 / iStock / Getty

Cybercriminals are using these e-mails to capture employees’ log-in credentials, the FBI explained in a September 18 public service announcement (I-091818-PSA). Once the cybercriminal obtains an employee’s credentials, they are used to access the employee’s payroll account and change the bank account information. Direct deposits are redirected to the perpetrator’s account (often a prepaid card) and the account settings are changed so the employee is not alerted to these changes.

Employers in a variety of industries have been affected by these schemes, especially education, healthcare, and aviation, according to the FBI. The bureau suggests the following steps to mitigate the threat of payroll diversion:

  • Alert and educate the workforce about such scams, including preventive strategies and appropriate reactive measures should a breach occur.
  • Instruct employees to hover their cursor over hyperlinks included in e-mails they receive to view the actual URL and make sure it actually relates to the company it purports to be from.
  • Instruct employees not to supply log-in credentials or personally identifying information in response to any e-mail.
  • Direct employees to forward suspicious requests for personal information to the information technology or human resources department.
  • Ensure that log-in credentials used for payroll purposes differ from those used for other purposes, such as employee surveys.
  • Apply heightened scrutiny to bank information initiated by employees seeking to update or change direct deposit credentials.
  • Monitor employee log-ins that occur outside normal business hours.
  • Restrict access to the Internet on systems handling sensitive information or implement two-factor authentication for access to sensitive systems and information.
  • Only allow required processes to run on systems handling sensitive information.