The FBI Internet Crime Complaint Center (IC3) has noted an increase in the number of Business Email Compromise (BEC) and Email Account Compromise (EAC) complaints related to the diversion of payroll funds. In this type of scheme, a company’s human resources or payroll department receives an email appearing to be from an employee requesting to update their direct deposit information for the current pay period. The new direct deposit information generally routes to a pre-paid card account.
Established in 2000, the IC3 is responsible for receiving and processing complaint of internet crimes. According to it’s 2019 Internet Crime Report, in the past years the IC3 received 1,707,618 complaints involving $ 10.2 Billion in total loss3es.
In 2018 the IC3 created a Recovery Asset Team (RAT) to streamline communications with financial institutions and assist FBI field offices with the recovery of funds for victims who made transfers to domestic account under fraudulent pretenses. In 2019 the IC3 received 1,307 incident complaints totaling losses of $384,237,651. The RAT was able to recover almost 80% $304,930,696, a recovery rate of almost 80%.
According to the IC3, there has been an increase in BEC complaints concerning the diversion of payroll funds. Complaints indicate that a company’s human resources or payroll department receives spoofed emails appearing to be from employees requesting a change to their direct deposit account. This is different from the payroll diversion scheme in which the subject gains access to an employee’s direct deposit account and alters the routing to another account.
In a typical example, HR or payroll representatives received emails appearing to be from employees requesting to update their direct deposit information for the current pay period. The new direct deposit information provided to HR or payroll representatives generally leads to a pre-paid card account.
Some companies reported receiving phishing emails prior to receiving requests for changes to direct deposit accounts. In these cases, multiple employees may receive the same email that contains a spoofed log-in page for an email host. Employees enter their usernames and passwords on the spoofed log-in page, which allows the subject to gather and use employee credentials to access the employees’ personal information. This makes the direct deposit requests appear legitimate.
The IC3 home-page contains a link to file complaints on-line, and also access consumer and industry fraud alerts.