During the general kerfuffle that has arisen around COVID-19, many small businesses have been hit hard by fraudsters. One of the latest areas that we have seen a dramatic uptick in fraud has to do with Direct Deposit. Many businesses pay employees and vendors using Direct Deposit method, and this process is generally very secure. However, fraudsters have found that the way to weasel into this money trail is to take advantage of the one weakness in the chain: the human element.
We have outlined a scenario below which will show you how this has happened to a business we are familiar with, very recently. We have seen this happen more than once, and with different variations, so please note this is only an example. Please note at the bottom that we have outlined some steps that you can add to your internal operations in order to reduce the risk of fraud for your business.
Scenario:
An employee of ABC Company, Sally, has Direct Deposit set up for her paycheck. One day, Mabel the Payroll clerk at ABC Co receives and email from Sally. In the email, Sally asks Mabel to change the Direct Deposit information attached to Sally’s payroll to a new account, because Sally has had to change banks recently. Sally includes the new bank name, account number, and routing number in the body of the email, so Mabel has all of the information that she needs in order to make the change in her Payroll system. Once the change is made, Mabel replies to Sally that the requested change has been made, and Sally can expect to see her next paycheck hit her new bank account.
A couple of weeks go by, and Sally calls Mabel. She asks Mabel why she didn’t receive her last paycheck. Mabel is alarmed. As she is talking to Sally, she looks back on the email that Sally had sent just a couple of weeks prior. Only then does she notice that while the “Display Name” of the email says Sally Smith, the actual email address is clearly fake: salsmith@yxcvhrm.com. Mabel realizes that she has just sent Sally’s paycheck to a fraudster.
Mabel calls the payroll system support line to ask if the money can be recalled. The support personnel tell her that they are trying to pull the funds back, but in these cases the accounts used are actually debit card accounts that can’t be recalled for direct deposit and/or the fraudsters have usually already moved the money to offshore accounts. They promise to call her the next day and let her know the result. When they call her back the next day, the news is as Mabel feared: it’s too late to get the money back, it is gone. Mabel makes sure that Sally’s Direct Deposit information is corrected in the system, and replaces Sally’s lost income immediately. But unfortunately, the money that was paid out to the fraudster has to be written off as “Fraud-Losses” in the books.
Direct Deposit Fraud Prevention Tips:
- Always collect a Direct Deposit Agreement (DDA) Form from all Employees and Vendors who will be paid via Direct Deposit. Make sure that the DDA form is signed, and that a VOIDED check is attached. This helps to ensure that the payee is really the person that you know, and that they have a real bank account. Make a no exceptions policy. All employees must complete the exact same process and outline who the form should go to. Don’t send DDAs through email unless they are password protected; it is highly recommended that they are sent through a secure file sharing program.
- You can send a test $0.50 Direct Deposit as soon as you have their information, and then after two business days, CALL the payee to confirm that they see the test funds in their account.
- Even if you do not want to do the test deposit, it is still a good idea to at least call/speak with the requestor separately from the email request to verify that the request is legitimate.
- Watch out for these suspicious “banks” that fraudsters will often use:
o GreenDot or MoneyPak
- A MoneyPak is a prepaid credit card which sets up an online-only credit line with GreenDot. Because the account is all online, these are common “burner accounts” used by criminals.
o American Express National Bank, SoFi, Varo or other “Online-Only” banks.
- Because these banks do not require in-person contact to set up accounts, it is a lot easier for foreign or illegal persons to set up an account.
- Be sure to always look at the full email address from the requestor to see if it looks normal and legitimate.
- Ask your employees to at least check their accounts on payday to ensure that the money has deposited into their account.
Be safe, and be aware!