Stay Off The Phish Hook This EOFY

Payroll scams are off the charts ahead of EOFY, what’s happening and what can you do to minimise the risk?

The end of the financial year (EOFY) is prime time for scammers looking to exploit the surge in financial data being exchanged, and many organisations are seeing an increase in spam and phishing campaigns.

Those working in finance and administration are especially valuable targets for bogus invoices or tax refund notifications full of malicious links and attachments, because opening and processing this type of documentation is a standard part of the job description – but anyone in your organisation can be a target.

What to watch out for
Fake communications can come in the form of invoices from financial services organisations, or notifications from trusted agencies like the ATO or state departments of health in the case of COVID-19 scams.

The ATO has been receiving reports of scammers pretending to be from the ATO calling members of the public and telling them that their employer has registered them for the JobKeeper Payment, but that the ATO needs their bank account details to deposit the JobKeeper Payment funds.

Scammers will also try to impersonate an executive with official-looking emails requesting payment to a fraudulent entity. Payroll scammers will send HR or finance a message appearing to be from an employee, either phishing for personal information for a separate scam or requesting a new bank account for income to be deposited.

Text messages can be a less obvious vehicle for scams than email and is therefore more dangerous. Aurion has seen a text offering a $200 reward for completing a survey on the NBN.

An example of a banking themed SMS phishing text
An example of a banking themed SMS phishing text – this one was reported to the ASCS on Monday 30 March 2020

Don’t think a scam won’t happen to your organisation. On average each month, the Australian Cyber Security Centre (ACSC) receives about 4,400 cybercrime reports through ReportCyber and responds to 168 cyber security incidents. High-profile targets this year include the Toll Group, which has been hit twice in 2020 by ransomware, one of which enabled attackers to “access” personal and payroll details of current and former staff.

Prevention is the cure
Because online scammers can be so hard to catch, cyber security efforts are focussed on prevention, which includes minimising the communication tools scammers have at their disposal. Earlier in 2020 Australia’s telcos joined together with the ATO and Australian Communications and Media Authority (ACMA) on a three-month trial of technology to block scam calls appearing to originate from legitimate ATO phone numbers.

Whatever medium they use, scammers are looking for an employee’s credentials, and that is the biggest risk to your organisation’s cyber security. Compromising credentials is achieved by exploiting risky behaviours, such as weak passwords, shared login details or of course phishing.

To minimise this risk, implement multi-factor authentication, which requires a secondary method of validating your identity in addition to the username and password – a phone app is a common method.

    These are your first steps to cyber-safety this EOFY:

    1. Don’t open email attachments or links from an unrecognised sender
    2. Check the sender’s URLs reflect the organisation they claim to be
    3. Run software and operating systems updates whenever its available
    4. Use strong passwords and don’t share – consider using a dedicated password storage app
    5. Apply multi-factor authentication on any applications
    6. Back up your data to a location separate from your work devices.
    Download the FREE checklist – Nine Simple Processes to Protect Your Payroll From Fraud

    Download  checklist now

    In addition, don’t forget to develop, communicate and reinforce organisational policy on fraud and dishonest or deceptive behaviour related to payroll and provide a clear escalation procedure for reporting suspected incidents.

    Advice and resources:
    Think you’ve been scammed? Visit the Australian Competition and Consumer Commission’s (ACCC) dedicated COVID-19 resource page; or report a cyber security incident the Australian Cyber Security Centre (ACSC).

    If you’re one of the many people now working from home, see the ACSC guide to safely selecting and using web conferencing software.

    For more background information, watch the Aurion video What is payroll fraud? with Jacqui Birch, Aurion BPOS payroll expert, discussing the nature and common types of payroll fraud.