www.taxprofessionals.com - TaxProfessionals.com
Posted by Tiffany Gaskin

Direct Deposit Scams: Don't Fall For Them!

Direct Deposit Scams: Don't Fall For Them!

A direct deposit scam is a business email compromise or email account compromise system (BEC/EAC). Commonly prevalent, these scams affect all sectors. In 2019, the IC3 (FBI's Internet Crime Complaint Center) received 23,775 BEC/EAC scam reports with adjusted losses of $1.7 billion. In particular, according to the report, there has also been a dramatic increase in BEC/EAC direct deposit scams. This is a scam that organizations should be aware of.

Does your business use direct deposit for payroll? Because of the savings related to direct deposit, many businesses do this. As an employee, you enjoy the convenience of direct deposit. It gives quick access to your paycheck and the convenience of skipping the line at the ATM and/or the bank. And, for me, that's a big plus when trying to cope with the coronavirus pandemic. However, in light of the FBI's findings, organizations should take this scam seriously and implement security strategies to protect themselves. This article will focus on how direct deposit scams work, what to do if you've been scammed, and how to protect your business from them.

How direct deposit scams work

This type of scam uses social engineering tactics such as phishing and manipulation, as seen in previous versions of direct deposit scams. These cybercriminals pose as human resources (HR) employees and contact employees for payment information through phishing emails. However, in the latest version, the bad actors reversed the roles. Now they present themselves as employees, and usually high-value employees, such as the CEO or CFO. Then, they contact the HR team via email and request changes to the direct deposit information.

What makes this scam so dangerous? First, with this new version, emails easily bypass technical controls for malicious communications. Why so? Because phishing emails don't contain money requests, they don't have obvious spelling mistakes and are short and friendly. I'll talk about that later.

Additionally, criminals use free email services such as Gmail. They merely create a new account using the employee's name. In doing so, they ignore tools designed to detect attempts to hack employee emails.

Secondly, phishing emails manipulate emotions. The scammer creates a special email to create a sense of urgency. For example, by impersonating a CEO, the cybercriminal can request a change in direct deposit information, which must take place before the next salary is processed. The attacker will send new bank routing information if the HR employee responds and offers to help. The payment check is then deposited into the cybercriminal's account. Consequently, the employee is stuck waiting for a replacement check, the company is held responsible for the stolen funds, and the scammer gets free money. A bad scenario by anyone's definition.

What does the email look like?

Want to know what these emails look like? Here is an example of direct deposit phishing emails sent to Brown University.

To: Britney Williams

Subject: Direct deposit Update Request


Can you update my direct deposit? I just changed my bank account. I would appreciate it before my next paycheck.


Instruct your employees to know that some emails appear to come from the CEO or CFO. They are intended for human resources employees or accountants who initiate bank transfers.

What to do if you have been scammed

What to do if your business has been scammed? It is important to react quickly and decisively. The FBI's Internet Crime Complaints Center recommends that you follow these steps:

  • Immediately contact the originating financial institution as soon as the scam is detected. Request a recall or cancellation. As well as a Letter of Indemnity or Hold Harmless Letter.

  • File a complaint with the FBI's IC3. Be sure to enter all required data.

No one wants to experience the anxiety, frustration, and financial loss of direct deposit scams. So, as a company, take steps to strengthen your security posture. What can you do? Safety training that emphasizes the human element is a must!

How do I report a fraudulent email?

  • If W-2 forms have been compromised, talk to your tax professional to help you on how to go about it. 

  • Report tax-related phishing emails to phishing@irs.gov.

  • Tax-free BEC/BES email scams should be reported to the FBI's Internet Crime Complaint Center (IC3)

Protect your organization from direct deposit scams

To protect your firm from direct deposit scams and other cybercrimes, firewalls, intrusion detection systems, and other devices to track your network are important. However, it is essential not to neglect the human element in your security strategy. For example, in direct deposit scams, cybercriminals target people, not networks. This brings me back to a previous point. In these recent direct deposit scams, attackers create emails that bypass technical checks. This reinforces the importance of having the human element in the security strategy. Training employees to understand and recognize harmful social engineering tactics is important. For this, we recommend a social engineering risk assessment. Your organization will receive an expert analysis of potential risks, allowing you to educate, plan, and prepare for a social engineering attack.

Enforcing phishing courses is also mandatory. Phishing training educates your employees. It also gives your organization a continuous and repeatable process for accessing phishing risks.

Protect Your Employees

Help your employees understand the importance of fraud prevention, including:

  • Ask the employee never to reply to an email from their mobile phone when they can only see the sender's name without the email address.

  • Don't publish the names of HR teams online.

  • Teach employees to look carefully at email addresses and match them to the correct ones.

  • Update your spam filters to flag these types of emails.

  • Use a system with an employee self-service (ESS) portal so that employees can manage their own direct deposit information.

Best Practices

As millions of people move to work remotely, here are some of the best practices that can improve your organization's security:

  • Do not click or download anything unless it is from a verified sender. When in doubt, call your colleague to check.

  • Be aware of the information you provide over the phone, and remember that it is okay to say no to requests that you are not comfortable with.

  • Lock your computer, especially if you are working in a shared space.

  • Tech support scammers target remote workers. Be careful before clicking on pop-ups that indicate there is a security problem with your computer or that your operating systems need to be updated.

  • Stay in touch - Don't let the distance cause you to lose contact with your colleagues and the employer. Staying informed makes you less likely to fall for a scam.

Last Words

As cyber criminals adapt and create new twists to old scams, we must also adopt and adapt new security strategies. Now is the time to implement safety training that incorporates the human element!



Tiffany Gaskin
Contact Member