An upward trend has been recorded with business email compromise (BEC) scams where fraudsters trick human resource departments into changing an employee’s direct deposit information to divert paychecks into an account they control.
In a typical BEC scam, the fraudster sends an email to an employee authorized to make wire transfers and deceives them into sending the money into an unauthorized account.
Email security company Agari says they see a noteworthy increase in BEC attempts to divert monthly wages. The FBI issued a warning last year about this type of fraud, based on complaints that cybercriminals were targeting online payroll accounts.
The underlying principle remains the same, only this time the victim could be anyone in the company. An email from an address that displays the name of the victim is sent to someone in the finance or the human resources department requesting to change the details for the existing direct deposit account; the crook also asks about the information necessary to complete the process.
“From this point, the threat actor will be thinking on their feet to a certain extent; their main aim is to avoid being directed to any online third-party HR solution that would require access details they do not possess,” James Linton of Agari says in a blog post today.
He notes that requesting from the crook a voided check to verify the new account details does not deter their actions. They could play the social engineering card again, as seen in the email capture below:
Real case scenario
A scam of this type was described recently on Twitter by Sumit Kumar. The victim was a friend of his who was hunting for an apartment in Germany.
He found one on a dedicated website that asked to verify his identity and income by uploading his ID and the latest income reports, something Kumar says is a standard when looking for an apartment.
It all started with a friend searching for an apartment on german website @Immobilienscout. To verify his identity and income he had to upload his ID and the last two income reports from his employer – standard practice in german apartment hunting.
— Sumit Kumar (@TweetsOfSumit) January 8, 2019
The victim’s mistake was that they didn’t obscure the details that allowed the attacker to run the scam: bank account, employer name, employee number, signature, and the info on their ID card.
The crook used these details to send a fax message to the company’s HR asking to send the victim’s salary to a different account. No suspicions were raised because all the data the attacker provided was legitimate.
Only the account holder’s name was out of place, but it is irrelevant as long as the account number is valid. Also, the scammer had the initial account number to validate the request. This ended with the HR diverting two paychecks to the crook’s account. In many cases, a prepaid card is attached to the account.
Agari advises companies to evaluate their verification process for updating payroll information.
“If a two-factor online system is not being used, we recommend ensuring an element of human contact is established before completion of the request, in addition to checking that email address is from a legitimate source,” Linton says.
BEC scams are a very lucrative business, with some companies losing millions of dollars to it. An advisory from the FBI last summer informs that between October 2013 and May 2018, worldwide estimated total losses due to this type of fraud are over $12 billion.