Example:
Let’s imagine that we are part of the Administration, HR or Finance departments and we receive a request from a supposed employee or his or her direct manager to change the personal account number in which he or she receives his or her salary.
A request that we can understand as usual or even harmless, can cause serious damage at the work level if we do not follow the procedures and do not make a correct check.
Current situation:
According to recent studies, although this cyber-attack is not yet one of the most common, it has affected approximately 70% of companies and entities in the last 12 months. And this regardless of their sector of activity, or whether they are public or private.
What does it imply?
It consists, again, of impersonating a person within our company. The request may be received by various means (e-mail, text message, telephone, etc.). And it is not only the people who manage the payroll who receive it, but the cybercriminal can also expect the request to be forwarded internally to the appropriate department.
In case of success, the workers whose identity has been supplanted will cease to receive, from one month to the next, their paychecks. Because it will have been diverted to a cybercriminal’s account.
How can we avoid this?
Applying common logic: Let’s take some time to review the request.
- If internal procedures indicate that it is to be requested by mail or by a specific platform, do not rely on any calls or text or voice messages you may receive, without being sure that it is not a hoax.
- Even if the request has been made through the appropriate communication channel, let’s make a second check by calling the person requesting the change. This will allow us to verify if it is a fraud or a real request. It is very important that we do not try to do this check by replying to the same message or by using the contact details indicated in the message, because we could alert the cybercriminal of our suspicion and it would be worse.
- If double approval or internal verification is required for transfers, do not change payment details or make such transactions lightly. As much as they can be understood as usual. The ideal in these cases would be to request a proof of ownership of the bank account, in order to prove the legitimacy of this change.
WE REMIND YOU AGAIN: If you think you have been a victim of this type of cyberattack, report it in the workplace to the IT Dept, CISO or DPO and in the personal area report it to the police authority .