Businesses may be defrauded through payroll processing systems, by their employees or by cyber criminals. The most common type of payroll fraud is when advances taken by an employee is not paid back.

For the other type of payroll fraud, the FBI released an article in Oct 2018, that outlines measures to build a digital defence against phishing scams targeting electronically deposited pay checks. The modus operandi used by criminals are phishing emails that direct employees to fraudulent websites, where their work credentials are collected. The victim's credentials are then replaced with the hacker's own account details.

Such payroll phishing scams is the next evolution of BEC or Business Email Compromise. BEC is mostly targeted towards senior executives in the organisation. Needless to say, cyber criminals spend a lot of time researching their targeted organisations and its employee structure. In some cases, criminals may intercept and study their victim emails, months before the actual attack.

BEC fraud belongs to the larger class of social engineering attacks. Social engineering attacks, are a class of cyber attacks that is quite old. With the increased usage of cloud based emails, this class of attack is once more in the spotlight. Most cloud email systems protect against malware and malicious attachments. However addresses spoofing and links in emails may still go unnoticed.

In the case of payroll fraud, the emails masquerade as legitimate work emails from the victim's manager. The other, more frequent type of BEC is when the victim receives a fraudulent email from a top boss asking him to immediately wire a large sum of money for a big deal to a specific account number.

According to FBI research, BEC attacks led to £9.52 billion loss in last five years. In the recent trend of payroll fraud, HR managers are often targeted with phishing emails to direct small amounts of money to a different bank account. In a big organisation, such small amounts may go unnoticed for a few pay cycles. With this low-key approach, by the time the employee realises, he has been duped, the money will be gone and the account closed.

Link to the FBI article https://www.fbi.gov/contact-us/field-offices/portland/news/press-releases/oregon-fbi-tech-tuesday-building-a-digital-defense-against-payroll-phishing-scams