Understanding BEC scams: Payroll diversion

Emile Abou Saleh, Regional Director, Middle East and Africa, Proofpoint, explains how one of the most critical forms of BEC attacks – payroll diversion – works and how security teams can better protect the organisation and, consequently, its people.

Business Email Compromise (BEC) and Email Account Compromise (EAC) afflict businesses of all sizes across every industry. More money is lost to this type of attack than any other cybercriminal activity. In 2019, BEC scams accounted for more than half of all cybercrime losses—an estimated $1.77 billion. The average loss per BEC incident in 2019 was $74,723.

People within the organisations are viewed as more fallible than automated tools and technologies and according to the latest UAE CISO Report, over half of the CISOs believe that human error and a lack of security awareness are the biggest risk factor facing their organisations. Additionally, over 80 percent of CSOs and CISOs in the UAE report suffering at least one cyber attack in 2019, with over half reporting multiple incidents. People-centric attacks top the list and among them 15 percent were originated by business email compromise (BEC) attacks. Hence, it is crucial to understand what this type of attack really is and how it works in order to better protect the organisation and, consequently, its people.

BEC Payroll Diversion Scams

BEC payroll diversion scams are similar to other BEC attacks by relying on impersonation and social engineering to convince the target victim to send money to the attackers. In this case, the attackers target the payroll process of a company and attempt to redirect legitimate payroll payments from their intended destination accounts to accounts under the attacker’s control.

Emile Abou Saleh, Proofpoint BEC payroll diversion
Emile Abou Saleh, Proofpoint

BEC payroll diversion scams are by necessity very focused in their targeting. To succeed, these scams must correctly identify someone in the HR or payroll department to make changes to an employee’s direct deposit information.

The FBI’s IC3 reported that the dollar loss associated with payroll diversion increased 815 percent between Jan 1, 2018 and June 30, 2019. Proofpoint has seen and blocked more than 35,000 payroll diversion scams protecting US$2.2 million per day in the first half of 2020. Proofpoint’s research also shows that the Monday and Tuesday are the most popular days of the week for these scams, the second and last weeks of the month are the most popular weeks for these scams, and “Direct Deposit” is the most popular lure.

How BEC Payroll Diversion Scams Work

The crux of a successful BEC payroll diversion attack is the redirection of payroll funds from their intended, legitimate destination to an account under the attacker’s control.

BEC payroll diversion scams rely heavily on intelligence gathering from publicly available sources such as a company’s website or alternatively LinkedIn. A successful BEC payroll diversion attack requires the attackers identify the correct target for their attack and demonstrate credible familiarity with the payroll process so as not to arouse suspicion.

When attackers launch a BEC payroll diversion attack, they try to convince someone at the target company or organisation who can make changes to the payroll disbursement system that they are the employee they claim to be or someone authorised by the employee to make changes to their payroll information. In these exchanges, they will seek to convince their target to change the destination of payroll disbursements for the employee they’re impersonating to an account under their control. Depending on the sophistication of the threat actor, they may include a reason why reverting to a paper check sent in the physical mail is not possible.

In a successful attack, the target victim will make the changes and the issue will be closed. Ideally for the attacker, the issue will be closed with little notice by the target victim. In this case, making the attack look as much “business as usual” as possible is key to a successful attack.

The attack may take up to two weeks to incur financial loss after the payment instructions have been successfully updated. It’s worth noting that because of this two week delay, BEC payroll diversion attackers tend to prefer to levy their scams in the second or fourth week of the month.

Are You Protected?

BEC payroll diversion scams are a growing form of BEC attacks out there. These scams are also highly targeted and require detailed knowledge to be successful. These two points are good news for defenders because it provides clear direction on what you can do to help better protect against these scams. One, you can ensure that people who have the ability to change payroll disbursement information are aware of the risks and receive additional training and protection. Two, you can work to ensure that critical information regarding payroll policies and procedures are not publicly available in a way that can facilitate these kinds of scams.

Two of the most important things CIOs can do to help protect against BEC/EAC payroll diversion scams is to understand how prepared the organisation is to combat them and, ultimately, to train your employees to be vigilant around all forms of email communication.


Previous ArticleNext Article


The free newsletter covering the top industry headlines