How ID Thieves Invade Your Company

First things first, identity thieves do not discriminate when deciding to hack into a company.  Large, small and everything in between are vulnerable.  They want the biggest bang for their buck with the least amount of risk.  So what are a few of the ways they invade?

1.    False invoices are sent to Accounts Payable in the hopes that those who are writing the checks will not verify their legitimacy.   This seems impossible, but these invoices appear real and are very nearly the same as others sent to the company and are not in amounts that would draw much attention.    

2.    Employees are contacted by what they think is their HR department telling them that there has been a change in their human resource status.  They use the link supplied in the email and are taken to a site that looks very much like the real HR site for their company.  As soon as they log in, the thieves capture that login information and go to the real site to gain access.  Once there, they redirect that employee’s paycheck by changing the direct deposit information to the thief’s bank account.

3.    Emails are sent to employees from thieves who are posing as their CEO, Supervisor or Manager requesting documents or sensitive data.  Because it’s coming from their “admin staff,” employees assume it’s legitimate and so don’t even hesitate to send this data off.  Prevalent is the request for an employees’ W2 information or horror of horrors the entire payroll spreadsheet.  This is on the rise and the W2 information is used to file fraudulent tax returns.  The IRS has issued an alert to Human Resource people to inform their staff of this particular scam.  Interesting results come up when Googling phishing and W2 scam.  You will be stunned.  

4.    Even churches are in the crosshairs.  An email is sent to the person who is in charge of the books that appears to come from the pastor or a senior church official.  The email requests a bank-to-bank transfer for an urgent and confidential matter.  Because this type of request is plausible in the context of church business, there’s no question and the transfer is made, right into the thief’s bank account.

​Preventing all scams is impossible, but to give a company and its employees the best chance to avoid them follow these suggestions:

1. Make employees aware of these scams.
2. Create a strict company/office policy on wire transfers.
3. Know your customer’s habits.  That way any invoices that are out of sync, appear more frequently or appear for the first time will raise a red flag.  Then check their validity.
4. Even though requests for documents and data seemingly come from the Administration or corporate office, encourage employees to verify the request before any action is taken.   
5.  Instead of calling a number used in an email, look up the number in the company directory or use a number that has been used in the past.   
6. Instead of clicking on a link supplied in an email, go to the company site from your browser and use the legitimate URL address, especially if sweeping the cursor over the link reveals an unfamiliar web address.    
7.  Look for subtle incorrect use of the English language in the email such as incorrect tense usage, grammar, and capitalization.

The number of companies invaded by W2 scams in the first quarter of 2016 surpassed 50 and continues to grow.  The Identity Theft Resource Center as of June 14 reports that 12.6 million records have been compromised.  

Be vigilant and remain aware that you are neither too big nor too small to be of interest to ID thieves.  

Lori Lawson is a LegalShield Director and is an ID Shield specialist.  Her company, New Line Associates is located at 2111 El Camino Real here in Oceanside and she has been a Chamber member for over ten years.  Visit their website at newlineassociates.com.   Email her at [email protected] for a free, no obligation fifteen-minute consultation.  Information gotten from Kroll, a global risk management company that specializes in identity theft investigation and restoration.  

---