The NJCCIC recently received multiple incident reports from organizations targeted with direct deposit scams in an attempt to change bank account information for direct deposit payments for payroll to facilitate fraud. Threat actors primarily target K-12 school districts; however, all organizations, regardless of sector, are at risk. In the above campaign, threat actors impersonate an employee, often by registering an email address using the employee’s name and utilizing display name spoofing in the email messages. The fraudulent emails are typically sent to payroll or human resources departments and request direct deposit change forms. In some cases, the threat actors locate an organization’s direct deposit change form online and include a filled-out form in the email. The threat actor intends to divert an employee’s payroll check to an account under their control. These emails may have noticeable red flags, such as spelling and grammatical errors; however, they may be well-crafted and more difficult to identify as suspicious.

The NJCCIC recommends users and organizations educate themselves and others on these continuing threats and tactics to reduce victimization. Users are advised to refrain from responding to unsolicited communications and exercise caution with communications from known senders. If unsure of the legitimacy, contact the sender via a separate means of communication – such as by phone through official and legitimate sources – before taking action, disclosing sensitive information, and/or transferring funds. All users are encouraged to maintain awareness of common red flags found in malicious email messages, such as display name spoofing tactics. Additionally, we highly advise organizations to implement procedures to prevent unauthorized direct deposit changes, such as requiring two levels of approval and verbal agreement from the requesting employee.