Cybercheck Logo
Cybercheck  >  Insights  >  BEC payroll diversion fraud: What it is, and how to prevent it
BEC payroll diversion fraud: What it is, and how to prevent it

BEC payroll diversion fraud: What it is, and how to prevent it

BEC payroll diversion fraud: What it is, and how to prevent it
Colin HolderMon Jun 30 20254 min read

In business email compromise (BEC) payroll diversion fraud, cybercriminals steal employeeswages by diverting the payments to their own accounts.

This type of fraud is relatively simple to execute. It has become more prevalent in recent years as organizations have embraced remote working and distributed teams. With colleagues and teams more isolated from one another, spotting suspicious activity has become more challenging.

Lets look at how payroll diversion fraud works and what you can do to prevent it.

How is payroll diversion fraud executed?

Typically, payroll diversion fraud is a one-time attack carried out in a series of steps:

  • The fraudster identifies and researches the target: The fraudster chooses an organization to target, and gathers information about its employees and payroll team.

  • The fraudster sends a request to the payroll team: The fraudster mimics an employees email address to ask the payroll team to update their bank details. The update goes to the fraudsters account. This can be a mule account hacked in an ATO, or a fake account created through digital identity fraud.

  • The payroll team actions the request: The employee is unaware of the change, and the payroll team is unaware that theyve been tricked.

  • The company pays the employee’s wages to the fraudster: Payday arrives, but the employee receives no cheque. They complain to payroll and the fraud is discovered, but the fraudster already has the money.

How do the fraudsters prepare the attack?

Fraudsters prepare by gathering information from various sources, including:

  • Professional networking sites: Fraudsters identify their targets using platforms such as LinkedIn and ZoomInfo. These provide a wealth of information about people, their jobs, and their contact details. This shows why its important to manage your digital footprint and think carefully about what you share online.

  • Corporate websites: Some organizations publish the email addresses for teams such as payroll or HR on their public websites.

  • Criminal forums: The dark web is the underworld of the Internet. Fraudsters go there to buy and sell information about people and organizations, such as email addresses, passwords, credit card numbers, and more. The information may have been stolen through phishing, data breaches, or infostealer malware. Alternatively, it may have been purchased legitimately from marketing or credit agencies.

Risk factors and vulnerabilities for payroll diversion fraud

Certain factors can put your organization at a higher risk of payroll diversion fraud. These include:

  • A lack of verification procedures: Many payroll departments act on email requests without verifying them first.

  • Remote work environments: In global organizations, colleagues and teams can be located far apart and never get to know each other. This can make them less likely to recognize suspicious activity or question unusual requests.

  • High-volume payroll processing: In larger organizations, payroll teams can process multiple change requests routinely each month. Fake requests may not stand out, and the team might not notice an increase in requests.

Payroll fraud prevention strategies for your organization

Security awareness training for your employees

Educate everyone in your organization about phishing and BEC fraud. Ensure that they understand the risks and know how to recognize and report suspicious messages.

Secure payroll systems

Dont use email for requests to update personal information such as bank account details. Instead, use a secure portal with multi-factor authentication (MFA).

Verification protocols

Require your employees to authenticate any change requests and confirm them through a second channel.

Email spoofing protection

Prevent email spoofing by using protocols such as SPF, DKIM, or DMARC.

Automatic anomaly detection

Automated anomaly detection systems can flag suspicious activity that people might not notice. For example, multiple changes to bank accounts in a short time.

Credential and PII monitoring, and cyber threat intelligence (CTI)

CTI and dark web monitoring solutions like Cybercheck scan criminal forums, marketplaces, and groups for compromised credentials. If bad actors are trading information about you or your organization, youre alerted immediately. That means you can change passwords and block accounts to shut out attackers before they strike.

With the right technology and heightened awareness, you can significantly mitigate the risk of payroll compromise fraud and prevent your employees from becoming the fraudstersnext victims.

Cybercheck Intel

Stay ahead of cyber threats: get the latest threat intelligence, expert insights, and cybersecurity trends delivered straight to your inbox.

Stay informed, stay secure.

Related posts

Top 5 email scams: How businesses can detect and defend against threats

Top 5 email scams: How businesses can detect and defend against threats

Read full post
Online payment fraud: How to protect your business

Online payment fraud: How to protect your business

Read full post
Email deceit: Phishing attacks and how to outsmart them

Email deceit: Phishing attacks and how to outsmart them

Read full post