| In direct deposit or payroll diversion scams, threat actors research the targeted organization and identify an employee to impersonate. They typically register a free email address using the employee’s name and utilizing display name spoofing in the messages. In some cases, they compromise the employee’s email account to avoid suspicion. Then the threat actors email payroll, finance, or human resources departments to request direct deposit changes and applicable forms. Sometimes, the threat actors locate direct deposit change forms online and include the filled-out forms in the email. They intend to divert the employee’s direct deposit account information to an account under the threat actor’s control. |
| The NJCCIC continues to receive multiple reports of direct deposit scams, primarily targeting educational institutions. However, all organizations, regardless of sector, are at risk. In one incident, threat actors created a Google Gmail account, impersonated an employee, and attempted to change the direct deposit account information. They sent an email with a blank subject line and content containing “Good Morning, Hope you’re having a great day. Before the next payroll will be issued, I need to replace the account where my most recent deposit was made due to a bank change. What information is required?” |
| In another incident, threat actors impersonated an employee and emailed the finance department with a subject line of “New Account Info.” The email contained, “I am currently experiencing issues logging into the [redacted] portal, as I am being redirected to the homepage with a blank page. Therefore, I can provide my new banking information for the update. Here is the voided check with my new bank details for the change. Please cancel the previous account and use the new details provided below [redacted bank information].” |
| In the examples above, the requests to change direct deposit information were easily identified as scams. However, in another direct deposit scam, threat actors intended to compromise an employee’s account to impersonate them and avoid suspicion. They contacted the organization’s help desk to request a password and multi-factor authentication (MFA) reset in a successful social engineering attack. The threat actors gained unauthorized access to the employee’s account and emailed a direct deposit change request to the payroll department. The payroll employee initiated the change based solely on the email request, deviating from the organization’s established policy. Additionally, to evade detection, the threat actors created an inbox rule to delete emails containing “direct deposit” automatically. However, the organization’s security monitoring solution detected the rule promptly, and the account was locked. |
| Organizations, especially employees in payroll, finance, or human resources departments, are advised to identify several red flags in direct deposit scams. First, the authenticity of the request is concerning when the sender’s name does not match the email address. Threat actors may also create urgency to speed up the process and use phrases such as “This is urgent” or “Please make the change immediately.” Additionally, if the request includes a form attachment, there may be errors, the Social Security number may not be correct, or the signature may be suspicious. Furthermore, the request may not include a recommended voided check. |
| Recommendations |
| Refrain from responding to messages, opening attachments, and clicking links from unknown senders, and exercise caution with emails from known senders. If correspondence contains changes to bank information or is otherwise urgent or suspicious, contact the sender via a separate means of communication—by phone using contact info obtained from official sources or in person—before taking action. Implement security controls that help prevent account compromise, including establishing strong passwords and enabling multi-factor authentication (MFA) where available, choosing authentication apps or hardware tokens over SMS text-based codes. Organizations are advised to implement strict verification processes and procedures to prevent unauthorized direct deposit changes, such as requiring direct deposit forms accompanied by a voided check or bank encoding form, verbal or in-person agreement from the requesting employee, and multiple approvals for the change request. Organizations are advised to educate their helpdesk and IT personnel on the tactics used by cyber threat actors to gain unauthorized access to accounts. Review and secure email and payroll systems for vulnerabilities and keep them up to date. If funds are unintentionally wired to a fraudulent account, immediately notify a supervisor, banking institution, the FBI, and the US Secret Service so that attempts can be made to stop the wire transfer. Unless the fraudulent transaction is discovered quickly (typically within 48 hours), it can be difficult, if not impossible, to return the stolen funds. If personally identifiable information (PII) has been compromised, review the Identity Theft and Compromised PII NJCCIC product for additional recommendations and resources, including credit freezes and enabling MFA on accounts. |