Vendor ACH request fraud is on the rise. The scam works this way, cybercriminals stalk their prey (research or intelligence gathering) looking for a new contract award for a vendor or find an existing vendor typically for a local government. Information like this is easy to obtain from a local government much easier than for a business. They will research the business to get the details including the name, address, and EIN for the vendor. Once they have completed their research on the target, they will plan their attack. They will send an email to someone in finance to request a new ACH or change an existing ACH for the vendor. They will use all the correct information for the vendor except the account numbers which will send the money to accounts held by the cybercriminals. Even if only one payment is made to the wrong account it could mean the loss of millions.
If you receive the request via email it is recommended to follow up with a phone call for verification. Use the phone number you already have on file for the vendor and not one that might be in the email they sent. Good relationships with your vendors also limits the success of cybercriminals.
Direct Deposit Scam
Similar to the ACH scam is a direct deposit scam however there are two variations of this scam. In the first variation Cybercriminals pose as an employee to request a change to their direct deposit information. Like the ACH fraud the account numbers will send the money to accounts held by the cybercriminals. At the end of the day the employee does not get their paycheck. Of course, the company will reimburse the employee, but it will be a hassle for everyone involved.
To avoid this scam, create a new procedure to verify the request to change direct deposits for employees. If you receive the request via email it is recommended to follow up with a phone call for verification. Use the phone number you already have on file for the employee and not one that might be in the email they sent or the request form.
The other variation is to trick the employee into giving up their login credentials for the company HR or payroll portal. Cybercriminals setup a site that looks just like the one used by the employee and send an email to employees asking them to log in and update their direct deposit or some other information. Once they have the log in credentials the cyber criminals can log in to the real site and change direct deposit information. In the first variation the cyber criminals pretend to be the employee to get the organization to change the direct deposit information, in the second variation the cybercriminals pretend to be the organization to trick the employees into giving up their user names and passwords so they can make the direct deposit change.
To avoid this scam, employees should check with HR for unusual requests and having them set up multifactor authentication for their human resources and payroll portals.
Gift Card Scams
A new gift card scam joins the ranks of scams that try to con you out of the money on your gift cards. This new scam plays out like this, you receive a request from a high-level executive asking you to go and buys some git cards that will be used for employee incentives. The request is usually sent with an urgent tone, like go to the store now and buy them and will usually ask for your personal cell phone number. Typically, the first contact is an email appearing to be from a upper level executive asking if you had a moment and if you could text them because they are in a meeting or won’t have access to their email. The pressure is then put on you to purchase gift cards immediately. It is so important they want to text them the card numbers as soon as you have paid for them. To ease any of your concerns they will tell you to expense the gift cards on your time sheet and may even be generous and suggest you get a gift card for yourself. Of course, the company is not going to reimburse you for the purchase of gift cards that they did not authorize. The scam leads to the employee paying money out of their own pocket without recourse.
Cybersecurity awareness training and alerts not only protects the organization it can help employees not fall victim to fraud. Make sure your cybersecurity awareness program covers these types of fraud as well.