Malicious actors are evolving Business Email Compromise (BEC) scams to target direct deposit accounts through emailed change requests sent to Human Resource or Finance departments. The Multi-State Information Sharing and Analysis Center (MS-ISAC) has received multiple reports of state, local, tribal, and territorial (SLTT) governments and private sector entities receiving a small number of spoofed emails. Of note, a significant majority of the employees who had their accounts spoofed were executive-level staff members.
This new variant utilizes a similar method of coercing targets to send money to the malicious actor as the previous BEC W-2 variant, which has resulted in significant data or financial losses for SLTT governments or employees. Further information about the BEC scam, including the Purchase Order, Wire Transfer/Financial Theft, and W-2 variants, is available in the MS-ISAC Security Primer.
- Spoofed email address where the header information does not match the “From” line
- Subject lines including “Direct Deposit Update!” or “Payroll Direct Deposit”
- Initial message bodies include text similar to:
Hi <HR or Finance Employee’s first name>,I changed my bank and will need to update my paycheck DD details, can the change be effective for the current pay date?
<Employee’s Full Name>
Hi <HR or Finance Employee’s first name>,I have recently changed banks and like to have my benefit of direct deposit changed to my new account. I need your prompt assistance on this matter.
<Employee’s Full Name>
- Follow-up message exchanges between the malicious actor and HR or Finance employee may include authorization to “override” any protections in place, requests to send a voided check instead of filling out a form, or reasons why the spoofed employee needs assistance.
- Referenced bank information: Gobank (a division of Green Dot Bank), Routing #: 124303162
- Other indicators of BEC emails may include:
- Immediately notify Human Resource and Finance departments employees of this new variant. Ensure they are aware how to report potentially malicious emails and have a policy for out-of-band verifications (e.g. verbal confirmations, etc.) of direct deposit or account changes or wire transfer requests.
- Flag emails from external sources with a warning banner.
- Craft a policy for identifying and reporting BEC and similar phishing email scams. Make sure to include the following:
- Develop a BEC Incident Response Plan.
- Collaborate with Human Resource and Finance departments to ensure their policies are supported by technological solutions.
- Report BEC scams to the MS-ISAC, local law enforcement, and the Internet Crime Complaint Center (IC3). Tax-related suspicious emails should be reported to theIRS. If there is a financial loss, notify the bank to stop payment and involve local law enforcement.
The NJCCIC encourages recipients who discover signs ofmalicious cyber activity to contact the NJCCIC via the cyber incident report form atwww.cyber.nj.gov/report.
Please do not hesitate to contact the NJCCICatnjccic@cyber.nj.govwith any questions. Also, for more background on our recent cybersecurity efforts please visit cyber.nj.gov.