Phishing for Dollars: How to Prepare for a Payroll Phishing Scam

Phishing for Dollars: How to Prepare for a Payroll Phishing Scam

A new breed of phishing scam is hitting employers around the world-and it's targeting employees' paychecks.

Here's how a payroll phishing scam works:

  • Scammers create an authentic-looking email that appears to be sent from the employer. The employee receives an email requesting she click on a link, answer a few questions, or visit a website, where she will be directed to confirm her identity by providing their log-in credentials. 
  • Scammers then use this information to log in to payroll portals and reroute direct deposit checks. Scammers also may use this information to hack into employee emails to change the passwords to payroll portals so they can make even more account changes without the employee's knowledge. 
  • Once the direct deposit is distributed, the scam is complete. The employer often becomes aware of the scam after the direct deposit is distributed and the data breach notification requirements are triggered.
  • In order to mitigate employer liability and to protect sensitive data, employers and employees can take steps to protect against payroll phishing scams:

Employers should:

  • Alert their employees to this type of payroll phishing scam.
  • Enforce or establish a multifactor authentication system.
  • Review and update on a regular basis their data breach security measures and response plan.

Employees should:

  • Be advised to notify their human resources or information technology departments when they receive an email that requests that they click on a link, answer a few questions or visit a website that they do not recognize.
  • Should never reply to these emails.
  • Be advised to ensure that they have different log-in credentials for different purposes.
  • Once a phishing email has been identified by an employee and confirmed by the IT department, appropriate measures can be taken to prevent from such an attack and all employees can be notified of the potential threat to prevent from a data breach.