Q."We received a suspicious email asking for a change to an employee's direct deposit information. What should we do?"
Answer:
This is likely a phishing scam: a type of con in which scammers use emails, texts, or phone calls to trick someone into providing company or personal information that then allows the scammer to steal from them.
A successful scam can be a costly data breach with legal consequences for employers. In this case, had you fallen for the direct deposit scam, your employee would not have been paid on time, and you’d be out the money you owed them.
To protect your organization from this and other phishing attempts, we recommend you:
Verify the message is not legitimate by closely inspecting the email and reaching out to the employee to confirm they didn’t make the request
Notify your IT department of the phishing attempt
Remind employees not to respond to suspicious emails or send banking or other sensitive information to anyone
Work with IT to train employees to recognize phishing attempts and respond appropriately
Ensure employees update their security software, internet browser, and operating system regularly
Create processes and policies in case of a breach, including what notices need to be given