How to Avoid Falling Victim
Marshfield, WI (OnFocus) Cybercrimes against businesses have been increasing at a steady pace and Hawkins Ash CPAs is encouraging local businesses to be aware of and alert to the problem.
“We have heard of various companies being targeted,” said Matt Eckelberg, partner in the Marshfield office of Hawkins Ash CPAs. “Scammers are targeting the HR functions or bookkeepers of all types of businesses with the goal of convincing them to change direct deposit information to fraudulent bank accounts.”
As part of the crime, the scammer first sends an email impersonating an employee – often an executive or business owner – to the bookkeeper or person in charge of payroll.
“Typically, this email poses as the personal email of the employee,” said Eckelberg.
The scammer asks to change his/her bank deposit information. The payroll person or HR person then responds to this fraudulent personal email address with the form needed to change the direct deposit information.
Next, the scammer completes the form with an offshore account or other untraceable bank account and sends the form back to HR. After the HR person changes the bank information in the payroll system, when the next paycheck is issued, the money goes into the fraudulent account instead of the correct account. By the time this is discovered by the employee and/or the payroll or HR person who made the change, it is too late.
Another scam involves wire transfers or vendor payments, where the email impersonates a company executive and is sent to the company employee responsible for wire transfers. The email requests a wire transfer be made to a specific account that is controlled by the scammer. After the employee makes the wire transfer, the funds are gone.
To prevent this crime from happening, Eckelberg encourages discussing this potential risk with all levels of employees.
“Make everyone aware of them so no one falls victim to them,” said Eckelberg. “You can have training on IT security, but human error still exists and can cause this scam to be successful.”
Steps businesses can take to prevent falling victim to cybercrime include:
-Train employees, especially those with any access to payroll records or bank information, to question the email if the request doesn’t make sense.
-Initiate a policy that states HR or payroll needs to speak with the person who the email supposedly came from in person or via phone before any changes are made.
-Require that all direct deposit form changes include some personal information that a scammer will not know (example: Employee ID#).
-Require the form be signed and returned via mail or in-person to the HR department versus allowing everything to be done via email.
“It is very important to talk to employees about what procedures are in place when they get these direct email requests,” said Eckelberg. “If the owner tells an employee to do something, they will typically do it. This is why the scam is so successful. If you have talked about the situation ahead of time, employees may be more apt to make that phone call to verify it is not fraudulent versus going ahead and doing what they are told to do without asking questions.”
A company’s security is only as good as its weakest link, and Hawkins Ash CPAs encourage all local business to take the steps required to prevent fallen victim to cybercrime.