Tips to Steer Clear of Employee Phishing Scams

/ Best Practices, Industry News

Editor’s note: This article was updated on March 22, 2019.

More than likely, your employees have been targeted by a phishing scam at some point. While some of these scams can be easy to spot, phishing criminals are increasingly more sophisticated and customized in their attacks, which makes them harder to recognize. This year alone, the FBI and IRS have warned of multiple phishing scams (i.e., February, September and December 2018 attacks).

What’s happening?

Popular attacks focus on companies using self-service platforms, where employees can view their payroll details, W-2 forms and update direct-deposit information. Phishers are sending fake emails with a link provided, asking employees to log in to view a private email from their HR department. By clicking on the link and entering their credentials, employees are giving their login information to scammers. This enables attackers to change personal or payment records, such as direct-deposit information and email addresses. Once the email address is changed, email notifications are redirected to the phisher, so the victim may not immediately notice changes to their account.

In recent schemes, criminals have been posing as the IRS, sending emails with fake display names. If employees click on hyperlinks in those emails, they point to phony, yet convincing-looking websites. And if employees “take the bait” by logging in and entering personal details, they inadvertently hand over personal information. Those hyperlinks may also download malware, which gives criminals access to the victim’s device so they can obtain sensitive information.

What can you do about it?

There’s no surefire way to avoid phishing attacks, but there are important precautionary steps you and your employees can take to protect yourselves.

1. Be on the lookout.

The faster employees can spot a suspicious email sender, the better. Train your employees to stay vigilant when it comes to their inbox. It’s critical that they’re looking at actual email addresses, not just display names. If it’s an email address they don’t recognize, this should raise a red flag immediately. Employees should report any suspicious emails directly to their IT department.

2. Hover over hyperlinks.

Whenever they receive an email with a hyperlink, your employees should always hover their cursor over it to view the actual URL. By doing this, they can confirm the URL is actually related to the company it purports to be from.

3. Think before you click.

If your employees overlook the actual email address (which is easy enough to do), the content of the email can be the next indicator that something’s amiss. They should never click on a link or attachment included in an email, especially if it’s requesting login information; sensitive personal information should never be sent over email. Instead, they should go directly to the source (e.g., email the company HR contact to confirm it’s a legitimate request). Better safe than sorry!

4. Stay informed.

Make sure you stay on top of new phishing scams and make your employees aware. If they know what to watch out for, they’re much less likely to fall prey to scams. In general, make sure security is paramount throughout your organization. If it’s regularly reinforced, there’s a better chance your employees will stay mindful.

5. Watch out for vulnerable periods.

Phishing scams often peak during tax season because it presents more opportunities for criminals to steal valuable information. Since tax scams have been on the rise in recent years, make sure you and your employees are hypervigilant at tax time. The holidays are another particularly dangerous time, since the increase in online shopping means a higher risk of scammers accessing sensitive financial data.

6. Use multi-factor authentication.

Multi-factor authentication adds an extra layer of security by requiring an additional method of account verification. So for example, if employees are accessing their account from an unrecognized device, they’ll need to have a verification code provided via text, phone call, or email before they can log in to their account. This helps to prevent hackers from accessing accounts, as they’ll need to provide more than just login credentials. To enhance our clients’ account security, Payroll Data provides multi-factor authentication with our Orbit Solutions products.

7. Keep current on security updates.

Security patches are regularly released for all devices and popular web browsers. Emphasize how critical these are to your employees. It’s easy to ignore the frequent messages about security updates, but they’re important. They’re released to fix inevitable security loopholes that phishers can exploit, and should be downloaded and installed ASAP.

8. Install anti-phishing software.

Anti-phishing software can help to detect and block malicious content contained in emails and websites, usually with a warning to the user. Many web browsers integrate this software with a toolbar that displays actual domain names, which helps your employees identify fraudulent websites that are mimicking legitimate ones. Because this software is often integrated with web browsers, it’s especially important that employees keep their browsers up-to-date.

9. Monitor changes to bank information.

If employees are attempting to change direct-deposit credentials, this should be closely monitored by your system administrators. If you use Orbit Solutions, you can take advantage of notification features that will alert a designated payroll or HR administrator when an employee updates sensitive bank information. If you aren’t currently using Orbit Solutions or another workforce-management system, establish safety procedures to manually monitor bank information changes.

10. Use strong passwords.

Stress the importance of strong passwords with your employees. They should have at least six characters (the more, the better), and be a combination of letters, numbers and symbols (if allowed). Use a variation of uppercase and lowercase letters too. To safeguard personal information, your employees should get into the habit of regularly updating their passwords.

Have more questions? We’re here to help.

Having a safe, secure workforce-management solution helps makes it easier for you to prevent and monitor malicious phishing attacks. If you’re an Orbit Solutions user, rest assured that we take some phishing-scam precautions on your behalf. For example, we proactively monitor our software and pull reports to scan for suspicious routing numbers in our system. You can and should keep an eye out for these numbers too. They’re subject to change, but as of now, the following ABA routing numbers may signal an issue: 124303120, 061120000, 124085024, 096017418, 124302529.  

If you have any additional questions or concerns on employee phishing scams, please contact your Client Service Representative or send us a note today. We’re happy to help!