Last year, the FBI issued a warning regarding BEC (Business Email Compromise) scams. Unfortunately, security professionals report that those types of scams are increasing in frequency, and worse, the most recent ones come with a disturbing new twist. The latest incarnation of the scam targets employees, seeking to move their direct deposited paychecks into accounts controlled by the hackers.
The execution is simple enough. All a hacker needs is the same information as what they get when they steal a person's identity. Armed with a target's email address and banking information, all a hacker has to do (in most cases) is send a formal request to HR, explaining that the target has a new bank account and asking that the paycheck be sent to the details provided.
It all seems legit to the HR personnel receiving the request, because all of the information is accurate. In a growing number of cases, nobody even thinks to check or confirm that the switch has been authorized by the employee in question.
One of the researchers who has been following the growth in popularity of this approach had this to say about guarding against it:
"If a two-factor online system is not being used, we recommend ensuring an element of human contact is established before completion of the request, in addition to checking that the email address is from a legitimate source."
How big a problem is this type of thing?
According to the latest FBI statistics, between October 2013 and May 2018, businesses suffered total losses estimated at more than $12 billion, worldwide. If that doesn't get your attention, few things will. This is a large and growing problem, but thankfully, it's one that can be easily fixed by putting a few additional common sense safeguards in place.