The Australian Cyber Security Centre (ACSC) is aware that fraudulent emails have been received by organisations across Australia.
These emails spoof the emails and signature blocks of staff, and are sent to HR/payroll areas appearing to ask for a change in bank account details for the current or next pay.
Workers often become targets while on holiday, when their Facebook or Instagram updates reveal that they are away for an extended period of time.
How does it happen?
The emails are sent with a request for a change of banking details, and appear to use the employee’s correct sender name and email signature block, but are in fact being sent by cyber criminals.
In one example, a payroll officer received an email that requested a change of employee bank details.
“I’d like to change my direct deposit info, can it be effective for the current pay date?“
Not thinking it was suspicious, the payroll officer emailed a reply. A second email, again appearing to come from the worker, was then sent with the fraudulent bank details.
“Kindly find my new direct deposit information. Let me know as soon as this is updated and also kindly confirm exact amount of any changes for my reference.”
The payroll officer changed the details and notified the worker by internal email.
The worker immediately notified IT and payroll that this was not authorised. The payroll officer removed the bank details and luckily no payment was made.
In another example, one senior executive was not so lucky and a major organisation saw payroll staff action the fraudulent change to their banking information and money passed into the hands of cyber criminals.
If you are a payroll officer and you receive a ‘Subject - Payroll’ or ‘Subject – Urgent payroll request’ email, stop and think.
Do not reply to the email. Break the chain. Look up the person’s email address and send them a separate email questioning the request. Do not click on any link. Do not enter any information.
If you are a worker and you receive notification of a bank account change that you have not authorised, you should contact your payroll department immediately.
If you are away, leave your contact details with relevant areas at your workplace and be alert for any unusual activity in your bank account.
If you think you or your organisation might be the victim of a scam, cybercrime or identity theft, you can find more advice on the ACSC’s website at cyber.gov.au