Payment fraudsters are looking to get between consumers and their paychecks. To that end, the the Internet Crime Complaint Center (IC3), a hub to bring complaints to the Federal Bureau of Investigation (FBI), is eyeing payroll fraud.
In an alert issued this week, the IC3 said it has received complaints that cybercriminals are targeting the online payroll accounts of various employees across several verticals, most notably education, healthcare and commercial aviation.
The methods those bad actors use — and which have been documented in this space — include phishing attempts to gain access to individuals’ credentials. With those credentials in hand, the cybercriminal can access payroll accounts and subsequently change bank account information. As an extra measure that the fraud can persist, the criminal can also alter alert settings, which would prevent the true account owner from being given a heads-up that those details have been changed. The deposits? Often steered toward a prepaid card owned by the cybercriminal, said IC3.
Among the efforts IC3 offered as countermeasures: Employees should “hover their cursor over hyperlinks” to ensure that they can trace back to companies the individual can identify. In addition, login credentials for payroll data should be different from those seen elsewhere in the organization.
Across The Pond
Beyond the confines of one methodology (payroll fraud, as detailed above), Europol has issued a cybercrime report that has taken note of certain attack methods. Ransomware is in there, of course, where a methodology shift is underway — i.e. criminals are less random in their approach and now target specific companies and individuals.
Mobile malware is on the upswing, said the report, targeting mobile banking. In Europe, especially, nations must be on the lookout for payment card fraud. As reports noted, card-not-present (CNP) continues to be a threat as EMV compliance spreads. Beyond that, according to Europol, PSD2 “may introduce new opportunities for crime.” The introduction of open APIs may open the door to threats, and if a third-party provider is breached, then banking clients may also be exposed. In addition, said Europol, instant payments reduce the time financial institutions (FIs) have to intervene in a transaction and may challenge detection.
The contention that new (and faster) payment methodologies may attract fraud attempts has centered on ACH. As noted in the Credit Union Times, monthly ACH volume is now at an all-time high. The transaction tally is at $4.5 trillion, as logged in August and computed by NACHA. In terms of growth, that is up 10 percent year on year, 12 percent in dollar terms. Amid those figures, B2B transactions are up 13 percent and stand at 16 percent of ACH volume.
However, with the backdrop of Same Day ACH and with extended windows, increased transaction times and same-day settlement, fraud risks are still there. GIACT said in a white paper this week that older methods of protection efforts, such as trial deposits, may not be effective with the new changes coming into place.
Separately, Reuters reported Thursday (Sept. 20) that, according to the U.S. Securities and Exchange Commission (SEC), Barrett Business Systems, Inc. (BBSI) and its former controller, Mark Cannon, have agreed to settle civil charges of accounting fraud tied to workers’ compensation. The firm agreed to pay $1.5 million in civil penalties without admitting or denying wrongdoing.
On another note, criminal charges were filed against the former BBSI CFO, James Miller. Cannon, who paid $20,000 in penalties, was charged with improperly approving some of Miller’s accounting entries. As a result, the firm under-reported $12 million in workers’ comp.