Payroll and HR departments are now popular targets for criminals. They could inadvertently give criminals access to an employee’s paycheck without the employee knowing and end up costing your company thousands of dollars. The direct deposit scam is the latest trick hitting these departments. The Internal Revenue Service (IRS) and law enforcement are warning employers to be on the lookout for this type of phishing scam.
In the scam, criminals trick payroll or human resources into rerouting the direct deposit of an employee’s paycheck. By impersonating an actual company employee and their email, the criminal emails a request for a change to their payroll direct deposit to the company’s payroll/HR department. The criminals provide new bank account and routing numbers, which leads to a new bank account the scammers control.
The scam is usually caught quickly but the victim often loses one or two payroll deposits before the scam is uncovered. Scam emails usually have grammatical or spelling mistakes, but recent scam attempts include emails that were “well written, cordial and lack the misspellings, grammar mistakes and exclamation points that would trigger many popular email filters that search for spam or phishing attempts.” To make the email look even more realistic, “the scammers may even spoof the forms used by the company when making these requests.”
“Always be sure to communicate via known communication channels, rather than replying to messages received, especially when banking and employment data are involved,” says Kurt Barneson, CPA, Assistant Director of Finance, CalChamber.
Payroll and HR departments should:
- Call or meet with your employee in person to verify the request before processing any payroll changes;
- Avoid replying directly to any suspicious email so the criminal does not know your email address is valid and target it in the future; and
- Communicate details of any attempted or potential scam (like this blog) with your human resources and payroll teams so they can be prepared.
Companies who receive these scam emails can report them to the Federal Bureau of Investigation’s Internet Crime Complaint Center (IC3). You may also file a complaint with the IC3 if you believe you have been the victim of an Internet crime or if you want to file on behalf of another person you believe has been such a victim.
Read more about this and another payroll and HR scam in HRCalifornia Extra. Subscribe now!
Katie Culliton, Editor, CalChamber
CalChamber members have access to a variety of forms to use in their business, including Direct Deposit Authorization (also in Spanish). Members can also review Q&As like Can an employer require all employees have direct deposit? Not a member? Learn about the benefits of a membership.