ICRMT members should be aware that there has been a significant increase in this type of fraud leading to loss of payroll funds, delays in paying employees and increased cyber insurance claims in recent months.

This type of fraud occurs when a cybercriminal steals employee information, such as a name and email address, and then uses that information to change the destination of their direct deposit from a legitimate account to an account in the criminal’s name. Often, this isn’t detected until payday when the employee doesn’t get paid as they normally do. This can cause major issues for employees, and the redirected funds can be difficult or impossible to recover.  Employers believe that they are paying their employees, but really, they are unknowingly paying criminals.

Public entities in Illinois are currently being targeted by these types of cybercrimes. The most common method used is that employee emails are spoofed, and a fake email that looks like it is from an employee is sent to the payroll person with the entity. The cybercriminal (posing as an employee) requests that the payroll person update their bank information for direct deposit. Once the cybercriminal convinces the payroll person to change the bank information, the employee’s next paycheck is deposited into the cybercriminal’s account. Typically, this is a cyber based or offshore bank account.

These criminals like to target higher paid employees like Highway Engineers and Attorneys, though employees at all levels can be targeted.

Simple ways to protect your entity and employees:

  1. Confirm verbally or in person with employees requesting bank or other changes.
  2. Flag any changes to unfamiliar or cyber based banks and confirm with employee.
  3. Do not rely on or do not allow changes to personal or bank data via email.

Please contact IPMG Risk Management for additional assistance on this topic.