BEC scammers add payroll diversion to their repertoire

All the attention the most typical BEC scams have been receiving in the last few years must have affected their effectiveness and forced scammers to come up with new ways for extracting money from companies.

BEC scammers payroll diversion

Late last year the FBI warned about scammers tricking employees into sharing their login credentials, then using the acquired credentials to access the employee’s payroll account and change the bank account to which the pay is directed.

The deception can’t last long, as most employees soon notice that they haven’t received their salary. Still, the scammers can manage to get their hands on at least some money.

A variant of the attack aimed at HR or finance employees

If the scammers can’t trick employees into giving up their login credentials, they can attempt to go the Human Resources (HR) route.

HR employees often handle payroll and benefits and tricking them into changing an employee’s bank account information might be a more efficient approach, especially if two-factor authentication is enabled on the system.

The attacker creates an email account, makes it look like it belongs to the individual they are attempting to impersonate, and contacts the personnel in charge of payroll.

“Assuming the identity of the CEO seems to be the preferred tactic for the threat actors, but there is no reason that this type of attack cannot utilize the identity and role of any employee within a company. As the primary aim is to divert a monthly salary payment to a bank account the criminal gang controls, it’s logical they would ideally purport to be those most likely to receive the highest compensation,” email security outfit Agari points out.

Also, the targeted HR employee is more likely to bend a few rules if the request to change the bank account information comes from someone high in the enterprise hierarchy.

A typical starting email can look like this:

BEC scammers payroll diversion

The HR specialist might counter with a request for a voided check or a document on a bank letterhead showing the new account number, or for the requester to use the login credentials and make the change themselves. Both requests can be easily sidestepped by scammers with a knack for social engineering (e.g., “I can’t do that right now for [reasons], and this is urgent”).

“It should also be noted that the threat actors are not phased by being asked to provide a voided check displaying the new accounts details and have successfully provided these when requested of them,” the company notes.

Risk mitigation advice

Needless to say, implementing security protections (e.g., 2FA) and sticking to a well thought out and defined procedure for checking the validity of similar requests is key to foiling scammers.

Agari recommends ensuring an element of human contact is established before completion of the request, in addition to checking that the email address actually belongs to the requester.