What’s the best way to outsmart a cybercriminal?


While thieves continue to implement new tactics to trick consumers, the best defense is knowing what to look out for.

The latest scam on the FBI’s radar? Phishing emails targeting online payroll accounts of employees.

What’s happening?

In a recent news alert, the FBI’s Internet Crime Complaint Center (IC3) explained that it has been receiving complaints reporting cybercriminals who are targeting online payroll accounts of employees. The most common industries affected are: education, health care, and commercial airway transportation.

The phishing emails are designed to capture an employee’s login credentials. From there, the credentials are used to access the employee’s payroll account to change banking information.

The cybercriminal then adds rules to the victim’s account that prevents him/her from receiving alerts regarding direct deposit changes. When those changes are made, the cybercriminal redirects the deposit to a controlled account, like a prepaid card.

Steps you can take.

(Share these with your employees).

Alerting and educating your employees is a crucial first step for preventing a breach and what to do should a breach occur. The IC3 offered up these recommendations to help mitigate threats:

  • Have your employees hover their cursor over any hyperlinks included in emails they receive. This way, they can view the actual URL and ensure it’s actually associated with the company it appears to be from.
  • Make sure employees refrain from supplying login credentials or personally identifying information in response to any email.
  • If an employee does receive a suspicious request for personal information, direct them to forward the request to your information technology or human resources representative.
  • Login credentials used for payroll purposes should differ from those used for other purposes.
  • Apply heightened security for banking information initiated by employees when updating or changing direct deposit credentials.
  • Monitor employee logins that occur outside of your typical normal business hours.
  • If possible, restrict access to the internet on systems handling sensitive information. Or, you can implement two-factor authentication for access to sensitive systems and information.
  • Only allow required processes to run on systems handling delicate information.

You can read the full news alert from the FBI by clicking here.

In addition to this specific scam that the FBI is alerting consumers about, the IT department at PrimePay offered up some other general advice that you can share with your employees.

“Emails using names of your company’s employees that are not sent from a @YOURCOMPANYNAME email address should be considered untrustworthy.  Also, any unusual requests such as wire transfers, gift card purchases or for personal contact information should not be acted upon,” said John Allen, VP, Information Security and Governance at PrimePay.

Let’s face it, you have enough to worry about as a small business owner. Protecting your employees’ personal data is crucial. And it all starts with education.

What advice do you share with your employees to help them stay safe from cybercriminals?