BEC Taxonomy: Payroll Redirects

Last Time in the BEC Taxonomy Series…  

Proofpoint researchers in the second of the Business Email Compromise (BEC) taxonomy series began delving into the Theme tier of the Email Fraud Taxonomy framework (Figure 1), focusing on invoice fraud and demonstrating how the framework works in a real life example. Now we will explore another salient and timely theme category, payroll redirects, which can be of concern this time of year with tax season and the potential for threat actors to target tax refunds in this type of scheme.    

Graphical user interface

Description automatically generated      

Figure 1. Email Fraud Taxonomy Framework. 

What are Payroll Redirects? 

Payroll redirects, also called payroll diversions, are email fraud attacks that typically target finance, tax, payroll, and human resources employees. These are some of the simplest attacks as the only goal for the threat actor is to provide new, threat actor-controlled direct deposit information for the impersonated employees’ paycheck or even their tax refund.  

Proofpoint detects on average about 2,000 payroll redirect attempts daily (Figure 2) and considers them to be a medium risk to businesses and organizations, with an average loss of $7,904 per incident, according to the FBI Internet Crime Complaint Center’s report on BEC from 2019. The IRS has included payroll redirects on its most recent Dirty Dozen list of tax schemes for 2020, alerting tax filers that fake IRS documents can be used in these schemes to lend credibility to the bank account change requests.  

Chart, line chart

Description automatically generated 

Figure 2. 24-hour view of payroll redirect attempts seen by Proofpoint

Payroll Redirect and the Email Fraud Taxonomy Framework   

Payroll redirect schemes can occur via either Deception means (per the Proofpoint Email Fraud Taxonomy Framework in Figure 1 above), impersonation or compromise, but most commonly occur via impersonation. In instances where a threat actor has access to a compromised account, they are more likely to attempt fraud that has the potential for a higher payout, such as an invoice fraud scheme, than a payroll diversion would garner. 

A picture containing company name

Description automatically generated 

Figure 3. Anatomy of a payroll redirect attack via impersonation

Via impersonation (Figure 3), the threat actor sends a generic sounding email from a free mail account using the employee’s name. The use of free mail is by far found in the majority of payroll attacks. Threat actors in payroll redirects also like to impersonate individuals higher up in the target’s organization, such as a CEO or other executive, for the chance to score a bigger paycheck. In the attempts to redirect senior-level paychecks, threat actors can be seen using email addresses with executive themes in an effort to lend credibility and urgency. In such cases, the Taxonomy Framework would appear as follows (Figure 4):