Con men have been exploiting human psychology since the dawn of time. Equipped with the capabilities of the digital age they now have the means to launch voluminous lucrative con schemes at a global scale. Business email compromise (BEC) or whaling is one such targeted scheme where the con men send the target an email message purporting to be from the company’s CEO or executive demanding a wire transfer. To appear legitimate, the messages often forge the sender’s address on the From: line and direct replies to a separate Reply-To: address controlled by the scammers.
We’ve written several times over the past few years about business email compromise (BEC) and how it has become a leading financial threat to any organization. More recently, a BEC variation has emerged that is becoming quite prevalent. This variation is known as a “Payroll Scam” and is the subject of this blog.
Imagine the pain of not getting paid on your payday, that pain quickly shifts to agony, anguish, torture and suffering when you learn that the payroll department of your company transferred your salary to a new bank account on your request – a request you never made!
In Payroll scams, cybercriminals target individuals in an organization’s HR department, Payroll department, Finance department or direct line managers with the goal to con them into transferring their employee’s salary into accounts controlled by the scammers. The targets are sent spoofed email messages purporting to be from the company’s CEO, executives or employees requesting to change their direct deposit payroll account. The unsuspecting targets, usually payroll or HR staff, change the account leading to successful salary transfer for the scammers. It often takes one or two missing salaries before the unaware victim realizes and reports the matter to the authorities.
To make the scam a success, cybercriminals continue with the tactics learned from general BEC wire transfer scams. These tactics include:
After analyzing numerous Payroll scam messages, we have categorized them as follows:
Before launching the attack, the cybercriminals perform the necessary reconnaissance against a target organization and identify individuals in HR, Payroll, Finance or direct line managers that have the power to change an employee’s payroll account. This involves searching for such titles on the company’s website, googling for similar titles or searching on professional public networks like LinkedIn helps identify the right targets. Once the targets are identified, the attack is launched. Here are some anonymized examples of the initial lure messages as seen in the field:
This category is the most widely used among all scam messages seen. The general theme is that the CEO of the company is sending an email message to the company’s payroll manager demanding a change to the payroll direct deposit account, this is followed by a demand for urgency in handling the request. The CEO’s name is used in the From field display name part to appear as legit, with common subject lines like “Payroll Update”, “Payroll Request” and “Change Payroll” etc.
Sometimes additional phrases are used to stress on the urgency of the matter. In the example below the scammers are warning that the previous bank account will become inactive in 30 days.
With many companies using rules to scrutinize external emails from CEOs, the more careful attackers avoid using the CEO’s name and, in the process, increase their success rate by impersonating the company’s executives (VPs, Directors) instead. The names and titles of the executives are often available on the company website or could be harvested from the corresponding LinkedIn profiles.
The scam follows the similar message template with the exception that the order turns into a request to the Payroll department to update the direct deposit information for the employee or executives salary/wage account. Similarly, instead of demanding urgency, they resort to more polite statements such as “please assist”, “please advise” and “kindly help” etc. This makes it more appropriate for a persona of an employee sending a request to the Payroll department, instead of the CEO boss demanding completion of a task. Some screenshots of such messages are shown here:
This scam is very similar to the previous category. The only difference is that the target is the HR Manager instead of the Payroll Manager. Again, the scammers carefully study the organization and determine the roles of HR. In some organizations, HR has authority to perform the payroll account changes for employees. In others, this role comes under Payroll or Finance department only; hence, in that case HR would serve as a proxy for the scammers in forwarding the request to the payroll manager without raising any suspicion.
This is yet again a very cunning variation of the scam. This time the target is the direct line manager of an employee, in effect using the line manager as the proxy to talk to the payroll department in getting the change made. In this scam, the scammers study whom the line manager of an employee is and send the Payroll change request to the line manager impersonating the employee.
Here are some interesting trends seen in Payroll scams
Cybercriminals are leveraging social engineering techniques to trick employees in an organization. Fraud tactics continue to evolve with payroll fraud being a new weapon in the arsenal of the BEC scammers. Payroll scams are carried out by scammers who send fake email messages impersonating an executive or an employee of an organization to deceive trusted managers in the HR and Payroll departments, requesting them to change the employee’s payroll bank account to that controlled by the scammer. These actions lead to monetary loss and irritated employees.
BEC Fraud is increasingly big business for the scammers. Organizations have deeper pockets than individuals, and the scam preys on the willingness of employees to trust emails that are purportedly coming from executives or employees within the organization. The number of scammers jumping on this bandwagon has increased markedly, as it has proven lucrative for them.
The BEC scammers continue to evolve their techniques to further their objectives. We have witnessed an increase in BEC attacks that are now targeting all organizations big or small across different industry sectors. The menace of BEC is very real and is costing businesses real money.
Trustwave Secure Email Gateway (SEG) and SEG Cloud customers have a range of features available to them to help counteract BEC Fraud, including rules and specialized filters that are aimed squarely at the unique nature of BEC scams. It's a complex area and to help explain it we have produced a couple of in-depth documents that provide considerable background details and configuration options. These details are included in our BEC Fraud Protection Guides, which are available in the documentation area of the website (customer login required). The SEG Cloud guide can be found here.