The Australian Cyber Security Centre (ACSC) has issued a warning to Australian business to be on the alert to a new online fraud based on fake emails requesting a change of bank details for employees.
The ACSC said it’s aware that the fraudulent emails had been received by organisations across Australia.
“These emails spoof the emails and signature blocks of staff, and are sent to HR or payroll areas asking to change bank account details for the current or next pay,” the ACSC says.
“Workers often become targets while on holiday, when their Facebook or Instagram updates reveal they are away for extended periods of time.”
How does it happen?
The emails are sent with a request for a change of banking details, and appear to use the employee’s correct sender name and email signature block, but are in fact being sent by cyber criminals.
In one example, a payroll officer received an email that requested a change of an employees bank details.
“I’d like to change my direct deposit info, can it be effective for the current pay date?“
Not thinking it was suspicious, the payroll officer emailed a reply. A second email, again appearing to come from the worker, was then sent with the fraudulent bank details.
“Kindly find my new direct deposit information. Let me know as soon as this is updated and also kindly confirm exact amount of any changes for my reference.”
The payroll officer changed the details and notified the employee by internal email.
On receiving the internal email advice, the worker immediately raised the alarm and the payroll officer was able to remove the bogus bank details and no payments were made.
However, in another example, one senior executive was not so lucky and a major organisation saw payroll staff action the fraudulent change to their banking information and money passed into the hands of cyber criminals.
The ACSC advises payroll officers or HR personnel who receive a ‘Subject – Payroll’ or ‘Subject – Urgent payroll request’ email, to be on the alert.
The advice is to not reply to the email. Break the chain. Look up the person’s email address and send them a separate email questioning the request. Do not click on any link. Do not enter any information.
If you are an employee and you receive notification of a bank account change that you have not authorised, you should contact HR or your payroll personnel immediately.
If you are planning to take holidays, leave your contact details with relevant areas at your workplace and be alert for any unusual activity in your bank account.
If you think you or your organisation may be the victim of a scam, cybercrime or identity theft, you can find more advice on the ACSC’s website at cyber.gov.au.
To learn more about email security start here