Direct deposit fraud is growing in popularity and is something employers should be aware of to protect their employee’s banking information. Direct deposit fraud, also referred to as payroll diversion scams, is when a fraudster sends a fake request to update an employee’s direct deposit account to a bank account not owned by the employee, with the goal of obtaining the payment meant for an employee.
Like other phishing-style requests, these requests come in many different forms including email, phone calls, and text messages. To perpetuate this fraud, an individual obtains enough information to impersonate an employee and sends a request to the employer’s payroll contact, HR team, or any other individual responsible for updating employee information including direct deposit bank accounts.
Does your organization have proper controls in place to prevent direct deposit fraud? Here are several red flags and tips to keep your employee data safe and out of the hands of fraudsters:
1. Review your organization’s processes related to direct deposit change requests to ensure you have checks in place to identify whether a request is legitimate or not, or how to go about verifying with the employee if a request seems suspicious.
2. Educate your employees, especially those responsible for making updates to employee information, including direct deposit accounts, to ensure they are aware of these scams.
3. Be on the lookout for requests that have a heightened sense of urgency, such as an email from an employee requesting the direct deposit change to be made immediately.
4. Whenever possible, utilize Multi-Factor Authentication security (2FA) for systems that are used to record, document, and request direct deposit and employee information changes.
5. Many of the fraudulent bank accounts used in these scams are prepaid or paycard accounts, as these can be much easier to open than a traditional account, and difficult to recoup once funds have been sent.
6. It’s highly encouraged to have a direct deposit account prenote whenever an account is changed or added. Prenote does not validate if an account is fraudulent and will not prevent fraud on its own, however, these scams are dependent upon timeliness, and the more time between when a fraudulent request is made to when a direct deposit is sent, the better chance an employee may become aware of the change.
7. Encourage employees to confirm receipt of a direct deposit each pay period. This is especially important for employees that have multiple direct deposit accounts set up and may not check direct deposits sent to secondary accounts, which can lead to multiple direct deposits being sent to a fraudulent account without an employee noticing.
8. Being proactive is key. Once a direct deposit is sent to a fraudulent account the likelihood of reversing or recouping those funds is considerably low. With that said, please reach out to your payroll vendor as soon as you are made aware of a potential scam or fraudulent direct deposit account. In most cases, they will do the best they can to help, which may include disabling the direct deposit account and initiating reversals and indemnity requests through your organization’s banking partners.
At BerganKDV, we help organizations establish robust security protocols to combat fraud. Between providing routine security training and assessing your current processes to see where gaps and opportunities exist, we have the expertise and resources to keep your private data secure and create a workplace culture of fraud awareness. To learn more about our security offerings, contact us today and one of our team members would be happy to assist you. Let’s have a conversation!
