In 2018, the Internal Revenue Service (IRS) and its Security Summit partners warned tax professionals of phishing emails targeting them that involve payroll direct deposit and wire transfer scams.

These types of emails are generally referred to as Business Email Compromise (BEC), Email Account Compromise (EAC), or Business Email Spoofing (BES), and are typically aimed at all industries and employers.

In 2019, the Federal Bureau of Investigation (FBI) released its Internet Crime Report which showed a $1.7 billion dollar loss as a result of 23,775 BEC/EAC complaints.

Do not let yourself fall victim to this fraudulent activity. Here is some information about this strain of payroll scam, and how to protect your business.

How this strain of payroll scam begins.

This strain of payroll scam works like this: a scammer impersonates a company employee and sends an email to a payroll or human resources (HR) personnel using a false email address that resembles the format of the organization. The contents within the email claim that his or her direct deposit information needs to be updated. The scammer posing as the employee requiring these changes then provides a new bank account and routing number to obtain payroll deposits.

Another version of this scam is when the hacker impersonates a company executive and sends an email to an employee who is responsible for wire transfers. In this scenario, the fake company executive demands that a wire transfer be made to a specific account.

According to the IRS, “Companies that fall victim to this scam can lose tens of thousands of dollars.”

What to look out for.

As these emails can be very damaging to a company, here are a few things to look out for:

  • Grammatical errors and spelling mistakes within the email.
  • Unknown email addresses.
  • A mismatch between name and email address. (e.g. John Smith <BDoe@___com>, the name should represent <Jsmith@____.com>)
    • You may also see changes to the domain name which are typically off by a letter.  (e.g. Correct email address jdoe@abclaw.com; Fake email address:  jdoe@abclew.com)
  • Implied sense of urgency.
  • A font that is not typically used by your company.

The IRS provides a few examples of what one of these emails could look like here.

How to prevent payroll fraud.

So now you may be asking, “how can I prevent this from happening to my company?” It is super important to take the proper security precautions, such as investing in intrusion detection systems, firewalls, and other devices to monitor your network.

The best way to stop these scams within organizations internal controls is to make it mandatory that any bank changes for Direct Deposit or Accounts Payable are verified verbally before proceeding.

Cybercriminals, however, target individuals, not networks, so you must also make your staff aware of these security risks. With proper education and training, you can lessen the chance of an employee falling for an email phishing scam.

What to do if you receive a suspected phishing email.

If you receive a questionable email, here are a few tips on what to do:

  • Do not click on any links contained within the email.
  • Do not respond to an email requesting financial information, especially if it implies urgency.
    • If you believe the company does need personal information from you, call the company, using a number in your own address book. Do NOT call the number within the email.
  • Call your employees to verify that an email truly came from them.
    • For further safety, print a paper copy of the employee's email requesting a direct deposit change and a copy of a direct deposit form. Send it to him/her by hand if possible. See a sample of PrimePay’s direct deposit form here.
    • Before making any changes, have the employee provide you with a voided check with banking information along with their completed direct deposit form.
  • When in doubt, assume it is a scam.
  • Always report.

If you responded to a phishing email, here is what to do:

  • If you provided personal information requested in a phishing email, such as Social Security, credit card, or bank account number, go to IdentityTheft.gov and follow the steps based on the information you provided.

Reporting BEC/BES Emails

If you think you see a scam, reporting it is crucial, not only to protect yourself but to help someone else avoid scams.

The IRS suggests forwarding non-tax related BEC/BES email scams to the Internet Crime Complaint Center (IC3) monitored by the FBI. When filing a complaint at the IC3, be sure to copy and paste the entire email, including header information. The IC3 does not have an email address to forward BEC/BES emails to, instead, they provide a form where you can fill out this information here.

Don’t fall victim to these hackers. Remain alert to keep you and your employee’s personal details secure. The more you educate yourself and your employees, the better prepared your business will be to stay vigilant in your cybersecurity efforts.

How you process your payroll matters.

PrimePay is an SSAE 18 Type II compliant payroll company. Meaning, we have undergone a rigorous auditing process to provide the peace of mind that our company is secure.

One way our Online Payroll clients can ensure their banking changes are protected and legitimate, text message alerts are sent after a change to confirm its authenticity.

Those that utilize our Hands-off Payroll solution work closely with their dedicated Client Success Representative to make sure that every request is in writing, but all of the secure and critical details are submitted through specific forms and encrypted email communications.

With PrimePay, your payroll is safe & secure.

Your business matters. Start working with PrimePay today to ensure your business is safe from payroll fraud. Not to mention, our all-inclusive payroll, tax, and HR bundle lets you focus on what matters most!

Click here to learn more or fill out the form below.

Disclaimer: Please note that this is not all-inclusive. Our guidance is designed only to give general information on the issues actually covered. It is not intended to be a comprehensive summary of all laws which may be applicable to your situation, treat exhaustively the subjects covered, provide legal advice, or render a legal opinion. Consult your own legal advisor regarding the specific application of the information to your own plan.