Email impostor trickiness lures HR staff to change ADP payroll direct deposits
In these strange economic times, impostors have identified an overworked company department. With Human Resource (HR) departments handling a new onslaught of employee concerns and issues, staffing changes, and remote work policies, email imposters have inserted themselves stealthily into their world. And, they have struck gold!
CAUTION: This is complex trickery that usually results in $8-$10K mis-wired. It may be too complex for Friday afternoon reading, or $8-10K may not be a big deal to your budget. If too complex or too insignificant, feel free to forward this on to your HR team and stop reading here so you can enjoy holiday weekend activities early.
For those that need to be aware, here is the play-by-play that Tech Essentials recently recorded; and recommends you share — before May payroll goes out.
1. The HR impostor lure starts with a simple email to someone on the HR team (which they can identify through LinkedIn and other recruiting tools). They send an email posing as an employee, who we will call Tim for this example, from the employee “Tim” email address. In the email “Tim” mentions he needs to change his payroll direct deposit.
2. The HR person replies to whom they think is Tim, the employee, but it routes back to the impostor. The HR person conveniently copies the appropriate staff members, with a comment about asking them to help “Tim” get his direct deposit changed.
3. Seeing the referral email from a colleague, there is no thought of any mischief; the person in charge of payroll direct deposit details emails a form to the person posing as “Tim”. “Tim” prints the form, fills it out by hand in pen, scans it, and emails back. This pen-ink-scan process gives it a more authentic look.
4. The payroll team updates the payroll system and moves on.
5. Managers review and approve payroll amounts, as they normally do each month, but no one looks at the payroll funds transfer details again. They are saved in the payroll system.
ADP or the payroll service sends money as normal; including pay to the person posing as “Tim”.
A few days after payroll is sent, the real Tim calls the company and asks if there has been a reduction in staff, bewildered as to why he did not get paid.
Panic sets in, and soon the company realizes they paid impostor Tim. Thousands of dollars are lost and the company needs to urgently process a new payroll for the real Tim.
Executives beware; as when your office sends ADP payroll funds to an impostor bank account, the company is still responsible for paying the real employee.
A Tech Essentials tip: use of RMail email encryption and RMail Anti-Whaling services are an important part of the e-security fabric of companies around the world — remember to arm your HR staff with these tools now, before it is too late
And remember, you can install RMail & RSign free as part of the pandemic-inspired E-Sign & E-Security (Free) Work-from-Home Readiness program (click here to access).