I just got an email from an employee… or who was pretending to be the employee. They wanted me to change the bank account prior to the next payroll cycle. But this is payroll scam, where the scammer is trying to divert legitimate transactions to their own bank account.
The Checking Account Scam
This is a common scam that targets employers constantly. Unfortunately.
In short, you receive an email from an employee, asking you (the employer) to change the employee’s bank account.
Here’s the one I just received:
But here’s the thing: the request is not coming from the employee. It’s a fake email.
So if you change the bank account, their pay would not be going to the employee. Rather, it would be going to the scammer’s email.
Now, on this one, it was obvious. The individual that the request came in for is no longer employed. And I’ve kept in touch with this employee, and I know that it is not their personal email address. So I texted the individual to let them know that someone is out there impersonating them.
But sometimes, it is not so obvious. Especially in larger organizations.
What’s the Risk to the Company?
There are risks to the company when they are victims to this scam. After all, when the payroll direct deposit goes to another checking account, the employee hasn’t been paid. And they still need to be paid.
But it’s not just as simple as giving them a new payroll run or a check. In Georgia, as well as most states, there could be additional liability – from the expenses from the missed payroll deposit (like say their rent check bounced and their landlord hit them with a returned check fee) and attorneys fees. These liquidated damages can be as much as the original unpaid wages. Some states have even higher damage limits – like three times the original wages.
It’s also important to note that not paying employees puts personal liability on owners and officers.
There’s also the time and expense it takes to correct the error. From reporting the deposit in error and trying to get the money back, to dealing with law enforcement, and to make the employee whole, all that takes time away from doing other things that move the business forward.
Best Practices to Stop This Payroll Scam
When you have a lot of employees, changing out the bank account is a regular thing. So it’s not just stopping the scam, your policies and procedures also can reduce the work on your payroll team (or finance, HR, or admin team, depending on the size of your business).
While we cannot stop all scams, this is one that we can definitely work to minimize.
The TL;DR version: don’t rely only on the one email you receive. Multi-factor authentication is a good thing.
Require All Changes Through Payroll/HRIS System
When I was in-house as the Chief Financial and Legal Officer, I had to require that all employees use the HRIS system to update their tax reporting and direct deposit information. I highly recommend that you make this your standard operating procedure in your business.
(Wait, you have an HRIS or payroll system with employee logins, right? If not, let’s talk about that… I have some suggestions, from Gusto to BambooHR to QuickBooks and more!)
By requiring the employee to use the HRIS or payroll system, we make this a self-help option. The employee has to login with their username and password, making it a lot more secure for us. It also reduces the work required by us – and possible mistakes from transposing numbers or mistyping the information.
Confirm in Person
If the self-help option doesn’t work for some reason, then you need to be able to confirm the change with the employee. Preferably, we can talk directly with the employee, in person.
If you get an email, go walk to the employee’s workstation to verify that it is in fact them requesting the change. There’s no substitute to talking directly with the employee over some change to the payroll system.
If the employee is in another location, but there is a manager on site, have the manager verify the change in person. You wouldn’t want to provide the account information specifically, but you can have a general verification, that yes, they want to make the change and provide perhaps the new bank’s name.
Remote Verification
In the era of remote workforce, it’s not always possible to confirm something in person with an employee wanting to change their bank account information. That’s where you’ll want to go through established procedures for verifying through remote processes.
For current employees, you should use company infrastructure – like Slack or Teams to send a message. Don’t rely on the email that you just received, since those are often spoofed.
But even then, you have to be careful. Have you heard the story of the company that was scammed out of $25 million after the CFO was deepfaked by AI? Yeah, while this payroll scam is not typically going to get into the millions of dollars, it is still an attractive target for scammers.
Challenge for Terminated Employees
It’s not unusual for recently terminated employees to want to make a change. Again, I generally recommend that they do this through the HRIS or payroll system.
But for many companies, they immediately terminate access to all systems upon employee termination. This may include the HRIS/payroll system as well. I generally recommend that instead of total termination that you setup a user level for terminated employees to access payroll stubs and tax information but limits access to the rest of the system.
If that’s not practical or desired, then you need to have processes for how they will communicate with you about these changes (including address changes for the eventual W-2). For example, only take directions from the previously provided personal email address.
When I got this email today, one of the reasons I knew that it wasn’t a legitimate request is because it came from a random email address. Not the one that I knew that this employee had. Makes it easy for me to confirm that it wasn’t legitimate (not to mention that this individual wasn’t employed any longer and wouldn’t be getting any more payments).
Train Your Payroll Team
Our people are our first line of defense, but also the weakest link in the defense.
One of the best things you can do is make sure that your payroll team is paranoid AF. Seriously, they should assume that any request to change is illegitimate until proven otherwise. This is a guilty until proven innocent kind of situation.
Need Help Stopping Payroll Scams?
Maybe because I’ve been through a ransomware event at a prior company or my time at Georgia Tech, cybersecurity is one of my favorite topics. I work with companies to continually upgrade their policies and procedures to reduce the risk of scams. I’ve trained teams to identify and be paranoid about these issues.
If you want help with your financial policies and procedures, then let’s chat!