FBI Alert: Direct Deposit Scam Is On

A familiar attempt to get at your hard-earned paycheck is resurfacing, says the FBI. The organization recently released a Public Service Announcement warning that cybercriminals are again targeting online payroll accounts for employees who use direct deposit, particularly those working in education, healthcare, and commercial airway transportation. The Better Business Bureau is also echoing the warning to consumers. The direct deposit scam is nothing new, but it’s back with a vengeance.

The Internet Crime Complaint Center (IC3) is the Bureau’s virtual complaint desk for people who believe they’ve been victims of or have been defrauded by an online crime. The IC3 reports a spike in complaints from consumers about a direct deposit phishing scam aimed at getting login credentials. Hackers are posing as human resource employees and sending out phishing emails with links asking staff to update their credentials for direct deposit. Upon getting that information, hackers reroute paychecks to a different account (owned by them) or transfer the funds onto a prepaid debit card they own. In a new twist, hackers also change the rules of an account, preventing the employee from receiving any alerts about direct deposit changes. That means someone’s entire account can be changed without them knowing, until they realize their paycheck never made it to where it belongs.

Below are FBI warnings about direct deposit scams.

- Inform all employees about the scam, and also what to do should someone fall for it.
- Never, ever provide login details or personal information to anyone and never send these via email.
- While you should always use unique credentials for each account, be especially sure to use different login credentials exclusively for payroll purposes.
- Always check a link by hovering your mouse over it to carefully check the URL address is legitimate. If it looks odd, don’t click it.
- When in doubt about an email, contact the sender directly to verify using the phone or by paying a personal visit. You can also forward it to HR or IT departments for confirmation.
- Always use two-step verification when it’s available and especially when sensitive information is involved.

As always, these types of scams likely are perpetrated via phishing email. So watch out for links or attachments that arrive in email that you are not expecting, come from unknown senders, or that you just cannot be 100% confident are legitimate. When it comes to your payroll, it’s always best to call the payroll department to verify such links first. It’s a simple step that can keep your paycheck where it belongs…in your account.

Stickley on Security
Published November 4, 2018