Payroll - Secure form for fraud prevention
A company we work with here in UK was recently a victim of an elaborate but simple fraud, resulting in the loss of around £5,000 from the payroll.
The scam went like this:-
- Scammer fakes an email to HR from an employee requesting the bank details for their salary be changed.
- HR fails to spot the "EXTERNAL EMAIL WARNING!" and forwards this email to the person who updates the payroll. They also didn't spot the fake email address, or double-check with the employee.
- Bank details for the employee are updated in the payroll and bank payments.
- Some weeks later, the employee concerned then contacts their manager as apparently they had not been paid this month. The fraud comes to light. "I never sent any email changing my bank details!" The scammer is long gone with the money. Whoopsie!
It would seem to me that the simple solution to this is not to accept, EVER, any instruction to change bank details via email. Instead, employees should be directed to a page internally or in our case in Xero, which can only be accessed by employees with a login and preferably requires two factor authentication.
The form could allow the employee to enter their new bank details. Xero sends a notification to the employee's known email/phone contacts to confirm the action, and then the person responsible for updating it receives a notification in Xero to update the bank details.
This approach would considerably reduce the risk of this type of phishing fraud, as any scammer would need to have access to xero and would have to get round 2fa, with at least two people checking the request before any bank details are changed, and not just fake an email: "Please to be updating my bank details... thx..."
Rob Lister
shared this idea