Here at Marathon, we are always on the alert to dangers that might befall our clients and their personnel. One we recently identified was a new email phishing scam that leverages information from a company’s human resources or payroll/accounting departments.
With this scam, cybercriminals identify a legitimate employee of a company (perhaps through social media or other public-facing information). They then send a spoofed email to the company’s HR, payroll or other finance-related departments requesting a change of deposit account to a different account number.
The email often looks real, but there are generally telltale signs it may be spoofed.
- The sender’s email account does not follow corporate protocol and/or is with a public provider, such as AOL or Google, rather than a bona fide corporate email address.
- The message does not address a specific person at the company.
- The email does not contain a standard corporate signature or email header.
More concerning, we have received emails from an actual client account responding to an actual email that was not the client.
In similar scams, cyberthieves pretend to be a vendor or client asking for money to be released to them for a payment.
We urge you and your staff to remain vigilant to these attacks which can be quite wily. One of our HR vendors received such an email as part of a string of valid communications. On our part, we require hard-copy documentation of changes to payroll and/or direct deposit. We cannot accept an email and caution our clients not to transmit bank information via email or website entry.
Marathon HR is also very careful with personal information and has protocols in place to prevent accidental disclosure. We are in the process of deploying a Barracuda email spam filter which filters or quarantines questionable messages.
Statistics show that nearly half of all workers have clicked on a phishing email1. We don’t want one of them to be your employee. Enacting training and other procedures regarding the handling of personal data is critical to protecting your business from email spoofing. If you have not implemented such safeguards, we recommend you contact your IT provider to implement best practices.