Con men have been exploiting human psychology since the dawn of time. Equipped with the capabilities of the digital age they now have the means to launch voluminous lucrative con schemes at a global scale. Business email compromise (BEC) or whaling is one such targeted scheme where the con men send the target an email message purporting to be from the company’s CEO or executive demanding a wire transfer. To appear legitimate, the messages often forge the sender’s address on the From: line and direct replies to a separate Reply-To: address controlled by the scammers.
We’ve written several times over the past few years about business email compromise (BEC) and how it has become a leading financial threat to any organization. More recently, a BEC variation has emerged that is becoming quite prevalent. This variation is known as a “Payroll Scam” and is the subject of this blog.
Imagine the pain of not getting paid on your payday, that pain quickly shifts to agony, anguish, torture and suffering when you learn that the payroll department of your company transferred your salary to a new bank account on your request – a request you never made!
In Payroll scams, cybercriminals target individuals in an organization’s HR department, Payroll department, Finance department or direct line managers with the goal to con them into transferring their employee’s salary into accounts controlled by the scammers. The targets are sent spoofed email messages purporting to be from the company’s CEO, executives or employees requesting to change their direct deposit payroll account. The unsuspecting targets, usually payroll or HR staff, change the account leading to successful salary transfer for the scammers. It often takes one or two missing salaries before the unaware victim realizes and reports the matter to the authorities.
To make the scam a success, cybercriminals continue with the tactics learned from general BEC wire transfer scams. These tactics include:
- Using a legit employee’s name and spoofed email in the From field, while using a newly created email address, often created with free email hosting service providers, in the Reply-To field.
- Using a legit employee’s name and fake email in the From and Reply-to fields. The fake email address is often created with free email hosting service providers.
- Using a legit employee’s name in the From display name field, while using a fake email address in the From email address part.
- The email address used by the scammers in the From or Reply-To fields is often created using free email services. Sometimes these email addresses use recently registered domains that are controlled by the scammers.
After analyzing numerous Payroll scam messages, we have categorized them as follows:
- Messages sent from CEO to Payroll Manager
- Employee to Payroll Manager
- Employee to HR Manager
- Employee to direct line manager
Before launching the attack, the cybercriminals perform the necessary reconnaissance against a target organization and identify individuals in HR, Payroll, Finance or direct line managers that have the power to change an employee’s payroll account. This involves searching for such titles on the company’s website, googling for similar titles or searching on professional public networks like LinkedIn helps identify the right targets. Once the targets are identified, the attack is launched. Here are some anonymized examples of the initial lure messages as seen in the field:
Messages sent from CEO to Payroll Manager
This category is the most widely used among all scam messages seen. The general theme is that the CEO of the company is sending an email message to the company’s payroll manager demanding a change to the payroll direct deposit account, this is followed by a demand for urgency in handling the request. The CEO’s name is used in the From field display name part to appear as legit, with common subject lines like “Payroll Update”, “Payroll Request” and “Change Payroll” etc.
Sometimes additional phrases are used to stress on the urgency of the matter. In the example below the scammers are warning that the previous bank account will become inactive in 30 days.
Executive/Employee to Payroll Manager
With many companies using rules to scrutinize external emails from CEOs, the more careful attackers avoid using the CEO’s name and, in the process, increase their success rate by impersonating the company’s executives (VPs, Directors) instead. The names and titles of the executives are often available on the company website or could be harvested from the corresponding LinkedIn profiles.
The scam follows the similar message template with the exception that the order turns into a request to the Payroll department to update the direct deposit information for the employee or executives salary/wage account. Similarly, instead of demanding urgency, they resort to more polite statements such as “please assist”, “please advise” and “kindly help” etc. This makes it more appropriate for a persona of an employee sending a request to the Payroll department, instead of the CEO boss demanding completion of a task. Some screenshots of such messages are shown here:
Executive/Employee to HR Manager
This scam is very similar to the previous category. The only difference is that the target is the HR Manager instead of the Payroll Manager. Again, the scammers carefully study the organization and determine the roles of HR. In some organizations, HR has authority to perform the payroll account changes for employees. In others, this role comes under Payroll or Finance department only; hence, in that case HR would serve as a proxy for the scammers in forwarding the request to the payroll manager without raising any suspicion.
Employee to Direct line manager
This is yet again a very cunning variation of the scam. This time the target is the direct line manager of an employee, in effect using the line manager as the proxy to talk to the payroll department in getting the change made. In this scam, the scammers study whom the line manager of an employee is and send the Payroll change request to the line manager impersonating the employee.
Payroll Scam Stats
Here are some interesting trends seen in Payroll scams
- Most (around 95%) of the email address used by the Payroll scammers in the From or Reply-To fields are created using free email services such as Gmail, AOL, TWC/RoadRunner, Lycos, Cox, Outlook and Inbox.lv etc. The email service used to carry out the attack varies from campaign to campaign and probably depends on the preference of the scammers. Around 5% of emails use custom domains registered by scammers.
- Common Subject lines used across most of these messages include: “Direct Deposit change”, “Payroll update”, “DD update”, “Request”, “Account Update”, “Quick response”, “Change bank info”, “Available”.
- Common phrases used in the body of most messages include: “Change my payroll direct deposit” and “Update my bank details for my monthly salary”.
Cybercriminals are leveraging social engineering techniques to trick employees in an organization. Fraud tactics continue to evolve with payroll fraud being a new weapon in the arsenal of the BEC scammers. Payroll scams are carried out by scammers who send fake email messages impersonating an executive or an employee of an organization to deceive trusted managers in the HR and Payroll departments, requesting them to change the employee’s payroll bank account to that controlled by the scammer. These actions lead to monetary loss and irritated employees.
BEC Fraud is increasingly big business for the scammers. Organizations have deeper pockets than individuals, and the scam preys on the willingness of employees to trust emails that are purportedly coming from executives or employees within the organization. The number of scammers jumping on this bandwagon has increased markedly, as it has proven lucrative for them.
The BEC scammers continue to evolve their techniques to further their objectives. We have witnessed an increase in BEC attacks that are now targeting all organizations big or small across different industry sectors. The menace of BEC is very real and is costing businesses real money.
Note for SEG Customers
Trustwave Secure Email Gateway (SEG) and SEG Cloud customers have a range of features available to them to help counteract BEC Fraud, including rules and specialized filters that are aimed squarely at the unique nature of BEC scams. It's a complex area and to help explain it we have produced a couple of in-depth documents that provide considerable background details and configuration options. These details are included in our BEC Fraud Protection Guides, which are available in the documentation area of the website (customer login required). The SEG Cloud guide can be found here.