IC3 Issues PSA On Payroll Phishing Scam
By: Jim Stickley and Tina Davis
January 3, 2019
One thing that we often think is pretty safe is our payroll account. After all, of all things that should be secured well at our workplace it is that. Right? Criminals have figured out a way to get credentials to the payroll accounts, specifically in three industries: Education, healthcare, and commercial airways transportation. But no industry is immune. This type of scheme is significant enough that it triggered a public service announcement from the FBI’s Internet Crime Complaint Center (IC3).
The way this scheme is succeeding is phishing, of course. Regardless of the physical security tools in place in any organization, phishing emails find their way around them and get to the in boxes of everyone. Because the criminals creating these messages are getting better at it, those tools won’t catch them all.

The IC3 is recommending that businesses take several steps to ensure the payroll accounts of employees are safe and the top tip is to ensure to educate your workforce about this and other phishing schemes. Include preventative strategies and reactive measures to ensure a breach does not occur.
As part of the awareness and training strategy:
- Include instruction on how to detect phishing, which means hovering over links to ensure they direct to where you expect them to and to look for clues in email of phishing such as misspelled words and poor grammar.
- Instruct employees never to provide login credentials or personally identifying information (PII) to anyone, even those in the IT department.
- Have controls in place to ensure those who perform financial transactions confirm them with the requestor before performing them.
- In addition, those who are in charge of the network should limit login access, restrict internet access wherever possible, and monitor logins outside normal business hours for unusual activity.
- Other than making sure everyone knows how to spot phishing, be sure to provide steps on reporting it, if they accidentally click on something.
Once payroll credentials are acquired in this scam, the criminals will log in and change information, such as direct deposit account information. In addition, they change notification settings to ensure the employee doesn’t get alerts. The money is then directed to the criminal’s account, which if often a prepaid card. Then it’s impossible to track and retrieve, making this a very effective scheme.