Q&A WITH JUSTIN P. GROSE
Employers: Beware of paycheck pirates and their devious email phishing scams
Q: Recently, there have been reports of employers being targeted by phishing scams that seek to divert employees’ paychecks. What’s this about?
A: An employee will receive an email that appears to be from an employer email account or another account routinely used by the employer such as an outside payroll service. Typically, the scam email will ask the employee to access a par- ticular website or link that’s contained within the body of the email. Once the employee has been rerouted, the website or link will ask for the employee’s unique login credentials. After the information is entered, the scammers can then use it to access the employer’s payroll portal or reroute direct deposits intended for its employees. Other times the scammers can access employees’ email accounts to request a password change, which in turn allows them to alter the direct deposit instructions for future paychecks.
Q: How can one tell if an email is legitimate or not? A: Unless the employee is skeptical of the email and contacts the IT department, there may be no way to tell at first glance whether the email is a scam. Subtle differences in spellings or differences in company logos may help tip off an employee but not always.
Q: What can employers do to take adequate steps to combat these types of scams?
A: Employers should immediately alert all employees about the potential scam. Of course, all suspicious emails shouldn’t be opened, the links in them shouldn’t be accessed, and the emails should be quarantined and/or forwarded to the IT department or other appropriate person. Employees should be instructed to not supply login credentials or other sensitive information to any suspicious emails. Depending on the number of portals an employer’s employees have access to, e.g., payroll, benefits or personnel files, the login information used for each should be different and employees must be reminded of this. Two-factor or multifactor authentication should be used where possible. Finally, employers should update their physical, electronic and technical measures used to protect and secure sensitive employee data.
Q: What should an employer do if their systems have been subjected to this type of breach?
A: Confirm what data, if any, has been accessed, as well as the extent of the intrusion. If sensitive information has been breached, the employer likely will have to report it depending on applicable law. Failure to do so can result in penalties and/or civil liability to the employer.