Phishing - Payroll Diversion Scam

Being a former computer programmer, albeit prior to the internet age, you would think I would be more savvy about what constitutes a computer scam or phishing attack.  But it is just not true!  When an email looks like it comes from a trusted source, like a co-worker, or QuickBooks, it is just too easy to believe that it is a normal email.  For the next few weeks, I will tell you about a few phishing and other scams I have come across the past few years.

Payroll Diversion Scam

This new (to me) scam came to my inbox a few weeks ago.  I think it could be the most damaging of all so I have put it first in my series of phishing scams.

The email looked like it was from someone I run payroll for, and use direct deposit for their paycheck.  It used my first name in the salutation, and asked what information was needed to make a change to the direct deposit account.  The signature had the known person’s name and plausible title, though not their usual signature.  I replied with what I needed, and they sent the new bank information.  Their reply also stated,

“Kindly send me a confirmation email once the change has been made. Also advise the next payday it will take effect.” 

Their reply email seemed off because they sent more information than I requested, and the bank seemed unusual for them, being out of state.  The more I thought about it, it didn’t sound like that person at all.  The grammar was pretty good, but not perfect as I would expect from this person. Finally, I checked the actual email address it was sent from and it was not their email address.  My email service masks the email address on the “From”, showing only the name.  You must click on the person’s name in the “From” to view it. What a disaster this would have been!

This sounds similar to a scam I heard about a few years ago between a municipality or school district and construction company.  Direct payment accounts for the construction company were changed as requested by email, and the municipality started making payments to the new accounts.  Turns out the money was going to someone not affiliated with the construction company. They did not discover the problem until the construction company called for payment, many thousands of dollars later. Luckily they did catch the scammer!

In any case, since the scammer had sent their bank information, I decided to investigate some myself. Who could I let know that this was going on with this account? I called the bank that the routing number was for, and they said it was a Cash App account, and I would have to call Cash App.  Cash App is similar to Venmo or Zelle, for sending funds electronically between individuals.  I did call, and spoke to someone who opened a ticket to investigate, but said all correspondence with Cash App is via email only.  I am still waiting to hear back.

After feeling frustrated that no one was looking into the situation, I came across the FBI Internet Crime Complaint Center.  It allowed me to submit a complaint, even though no funds fraudulently changed hands.  This site also has alerts and reports about current scams they are seeing.  Sure enough, I found a public service announcement regarding Business Email Compromise (BEC) scams, including Payroll Diversion schemes. (https://www.ic3.gov/media/2019/190910.aspx)

Another website I came across is the Anti-Phishing Working Group, Inc. (https://apwg.org/). This site is a research platform and clearinghouse for eCrime reporting and produces a quarterly report specifically about phishing trends.  You can also report phishing emails to their site at https://apwg.org/reportphishing/ .

In this day and age, we should all listen to that little voice in our heads that says, “Something is a little off.” The truth may lie behind the masking.