August 3, 2020

Volume X, Number 216

July 31, 2020

Subscribe to Latest Legal News and Analysis

Diverting Employees’ Payroll Direct Deposits: The Latest Wave of Phishing Scams

Employers beware: Companies are experiencing a wave of phishing scams that target employee paychecks. Here is the scenario: An employee receives from a company email account e-mail that mimics a familiar and trusted company service or resource, such as an e-signature request or a request to complete a survey. The e-mail asks the employee to click a link, access a website, or answer a few questions. Then it directs the employee to “confirm” his or her identity by providing his or her complete log-in credentials. Skeptical employees who question the request via reply e-mail receive a prompt response purporting to verify that the employee should complete the steps contained in the link. The threat actors then use the employee’s log-in credentials to access payroll portals, reroute direct deposits to other accounts, and wreak other havoc upon the employer’s network. In some versions of the scam, hackers access employee e-mails to request a password change from the employer’s payroll service and then use the new log-in credentials to change direct deposit instructions.

The threat actors are doing substantial due diligence on the social engineering side of things, and these e-mails look real. In many circumstances, they are effectively spoofing the sender’s account, and employers are learning of the scam when employees begin reporting that they did not receive their direct deposits. By then, the damage has been done.

In addition to diverting funds, the scam creates a data breach for the employer and triggers notification obligations. Failure to take prompt action may result in penalties and liability to unsuspecting employers. 

These scams are affecting employers nationwide without regard to their payroll portals or payroll service providers. 

Employers may want to immediately take the following precautions to avoid security breaches as a result of these phishing scams:

  • Alert your workforce to this scam. 
  • Direct employees to forward any suspicious requests to the information technology or human resources departments, rather than replying to the e-mail.
  • Instruct employees to refrain from supplying log-in credentials or personally identifying information in response to any e-mail. 
  • Ensure that log-in credentials used for payroll purposes differ from those used for other purposes, such as employee surveys.
  • Enforce (or, where necessary, establish) multifactor authentication requirements.
  • Review and update the physical, technical and personnel-related measures taken to protect your sensitive information and data. 
© 2020, Ogletree, Deakins, Nash, Smoak & Stewart, P.C., All Rights Reserved.National Law Review, Volume VIII, Number 30

TRENDING LEGAL ANALYSIS


About this Author

Rebecca J. Bennett Employment Ogletree, Deakins, Nash, Smoak & Stewart Cleveland, OH
Shareholder

There is a story behind every employment discrimination claim.  Rebecca is skilled at telling your side of the story.  She unravels allegations, sifts through facts, and marshals evidence to build a defense.  Rebecca is a trial lawyer.  Through experience and intuition, she is good at evaluating risks and drawing up a winning strategy, whether that means early resolution or preparing for a jury trial.  Clients appreciate Rebecca’s cool-headed counsel in times of workplace trouble and uncertainty.

Rebecca has spent her career representing and counseling employers nationally in all...

216-274-6903
Danielle Vanderzanden, Ogletree Deakins Law Firm, Labor Law and Privacy Attorney
Shareholder

Ms. Vanderzanden is a Shareholder in the Boston office and Co-Chair of the firm’s Data Privacy practice group.  She specializes in the areas of privacy, restrictive covenant, wage and hour, discrimination and labor and employment litigation and counseling.  She devotes her practice to helping employers with employment-related disputes, conducting investigations and providing counsel to clients seeking to reduce their potential for liability to their employees and third parties.  She has personally conducted dozens of investigations, including investigations involving employee allegations of misconduct by company executives and systemic discrimination.

617-994-5724