Phishing Attack Reroutes Direct-Deposit Paychecks

Posted on March 23, 2018 by Admin

Cyber scams are popping up like never before. One of the latest includes email phishing tricks that end up hacking your paycheck and rerouting it to another account–the hackers’! A recent report by the Better Business Bureau (BBB) exposes this latest phishing scam and how to best protect your paycheck from being the next victim. Both employees and employers can be on the losing end of this successful hack.

The BBB has identified three steps hackers use to gain your trust and your money. It starts by posing as a friendly email from your employer, payroll service, or other reliable source. It asks you to take a survey or other simple request requiring you to click a link or go to another website. The next site requires you to confirm your identity by typing in your password or other sensitive credentials.

Once those login credentials are entered, your paycheck is gone in a heartbeat. Hackers can use your identity to access your employer’s payment portal. From there, your direct deposit pay check is rerouted to another account. Your password can also be changed by the hacker, allowing them total access to your account. Hackers can even have any alerts from your employer or payroll service routed directly to your spam folder–where you’ll likely never see them.

Looking forward to payday can become a nightmare and there are security steps you can take:

Immediately report anything you deem suspicious to your employer. Phishing emails or other questionable contact such as text messages should be handled by your employer and not by you.

Use two-step or multi-step verification whenever possible. This allows a second layer of protection for an online account. This verification requires a separate action by you to access an account. It may be a code sent in a text or email message that you need to enter before access is granted. It may also be a randomly generated code from a fob.

Always verify the URL of an email sender. Hovering your cursor over the URL gives an option for information about the sender, including security certificates (if they have them). Hovering over a link exposes the URL you’ll be sent to should you click on it. Check carefully for subtle misspellings or odd punctuation in the address. Check for the secure lock icon in the address bar, as well as “https” and not “http” before the web addres

Pick up the phone and verify. Should you doubt an email sender’s identity, call the business or service they claim to represent. Tell them you just received an email regarding your account security–or whatever. They should be able to verify, or not, the email’s authenticity.

Posted in Cybersecurity, Social Engineering