The number of cyber and traditional payment fraud threats continues to grow and businesses are urged to remain vigilant in 2017. The following pose some of the most serious threats:
- W-2 business email compromise scams – The Internal Revenue Service has renewed its alert on a W-2 cyberscam that involves a fake email, purportedly from a senior company executive, which is sent to a junior payroll or human resources staff member requesting confidential employee tax information. The “spoofed” email appears to be legitimate, so the staffer complies. This gives the cybercriminal access to employees’ Social Security numbers, home addresses, income and other personal data. The fraudster may use this information to file fake tax returns for refunds and open credit card accounts.
The Society for Human Resource Management says more businesses reported falling victim to a W-2 scam during tax season last year. Although new tax filing deadlines for employers may help limit exposure this year by shortening the time period for legitimate information requests, human resources and finance staff still should be alert to the W-2 scam and similar questionable information requests.
Cybercriminals often use social media to target junior employees who are eager to make a good impression and may not be fully aware of confidentiality procedures. Fraudsters also are using social media to determine when senior executives are on vacation or traveling, and timing their requests for when an executive can’t be reached.
Company protocols should require that requests for confidential employee information be verified by phone or in person with the senior executive making the request. Access to sensitive personnel information should be on a “need to know” basis.
- Phishing/malicious emails – Fraudsters “phish” by sending fake emails to employees to gain company information or access sensitive data. Although these emails look legitimate, they can contain attachments, photos, pdf files or Microsoft documents that can trigger malware or infiltrate a company’s computer system for other fraudulent actions.
- Faster payments – The move to faster payments has sharpened the focus on elevated risks associated with rapid settlement of transactions. In the past, ACH transactions settled over two to five days, which allowed banks more time to analyze unusual transactions and challenge payment. Since last September, Automated Clearing House (ACH) payments for direct deposit, payroll, person-to-person and vendor payments are being settled within the same day. Also on the horizon this year is the introduction of the Real Time Payments (RTP) system network being developed by The Clearing House (TCH). This round-the-clock, 365-day-a-year system will enable almost instantaneous payments, up to $25,000 per transaction.
- Malware and ransomware – Unsuspecting employees can allow malware to infiltrate a company’s computer system by opening an email or attachment from an unfamiliar source, clicking on a link that leads to a malicious site, or inadvertently “un-patching” computer software fixes designed to keep intruders out. One increasingly rampant form of malware is ransomware, where fraudsters block a company’s computer system and hold it hostage until a sum of money is paid.
- New card-not-present risks – Many retailers and businesses adopted the more secure EMV chip-card readers at their point-of-sale (POS) registers last year. As a result, some fraudsters are focusing more on online and telephone “card-not-present” (CNP) transactions. They use a stolen credit card or credit card number to make purchases. The rise in CNP fraudulent purchases is affecting commercial credit cards as well as consumer cards.
- Check fraud – Although cyberfraud draws the most attention, check fraud remains a major threat to companies. Common forms of check fraud include altered payee names and dollar amounts, forged signatures, forged endorsements and counterfeit checks.
In the coming months, we will be reporting on each of these topics in greater detail. For more information on ways to protect your company from these and other fraud threats, contact your Fifth Third Bank Relationship Manager.