Transcript

Welcome to Kaizen Time, part of the Blood, Sweat & Business podcast, where we provide constant improvement to businesses through timely, actionable financial solutions. Do you want answers to your financial questions? Email us at bsb@kaizincpas.com. I'm your host, Mark Waleski. Now let's get started. Welcome to another episode of Kaizen Time. I'm joined by Brian Bryen, Director of Payroll Operations, and we today are gonna be talking about one of my favorite subjects that I get to talk about with Brian, which is fraud. I have no idea what this is about, but I'm looking forward to it. How are people getting scammed this week? Well, I mean, like I say, we, in the past, we, we get stuff probably every couple of days, at least once a week, where we get maybe somebody calling or something like that, but- People try... People trying to scam Kaizen specifically/YPD specifically? Or, or the clients, yeah. Okay. Okay. So, um, it... You know, there's a lot of fraud around payroll. Um, n- Lately, it's been a lot of technology-based, trying to change direct deposits and things. Yeah. Um, so we'll kind of talk about one of those. We'll talk... Well, we have two examples today actually. And, and just, and just so we're... so I know, I'll start with that. Um, these are clients telling you guys, then they're... and then they're reaching back at you like, "Is this legitimate?" Right. Or it's already happened and we're- And you gotta correct it. We gotta correct it, right, or try to track the money and try to get the money pulled back. Oh, okay. So yeah, the first one is a client example. The other one is something that we saw on our end. Mm-hmm. And actually, I saw also that, that we've tried to resolve, um, or try to defeat them. You know, it's like Whac-A-Mole. Right? You're always trying to knock it out. So yeah, so the first one is the email, the email fraud, uh, but this is a client, and I actually got... received a whole email string this time. So I saw some really interesting things, so it's... it was really great. So here's what will happen. The employee will email, like, the admin or the payroll person and say something like, um, "Before you run payroll, uh, can I change my... update my ACH information and what's required?" Pretty common question, right? Um, so in this case, uh, the client actually responded the way we wanted, was, "Hey, you can log in to self-service and change your account yourself." And this is why we preach to self-service. Exactly. But the mistake the client made was, "Oh, but if you can't figure it out, let me know. I'll change it for you." So we don't really wanna do that. We wanna say, "Here, and if you need help, bring in, and we'll even help you if... at YPD, if... you know, if somebody really can't change their direct deposit information and you wanna bring them to the office, we'll walk them through it." Um, your office now on Earth. We'll, we'll do it on Teams. Um, so then the e- so then the client sends an email back and says, "Oh, okay, great, here's my information." Right? They changed it, and then that week, the employee goes in the office on Friday and says, "I didn't get paid." It's like, "Well, I changed your direct deposit information." It's like, "I didn't request that." Oops. Um, so, I mean, we have a banking partner. We tried to pull it back, yet, um, we didn't get it 'cause the money's long gone, but, uh, a couple of things to look out for. So when I received the whole email string, the important part was, it said the email was from the client or from the employee, but the email header has the email address in it. It says, "User," at some other company. Gotcha. So you always wanna look at the... if somebody says, "I want to change any financial information," and it's email, it's best to pick up the phone. Yup. But if you're looking at it, maybe they're overnight or something they sent you, see it's legit, you look at the email address. That tells you right away. Right? If it's not from your domain, it's not right. Right? Language too, a big giveaway. If I wanna change my ACH information, I don't say that. If you wanna change where your check goes, what do you say? Um, "I'd like to change where my check goes." Right. Or you say, "I wanna change my direct deposit." Yeah. Employees don't use the term ACH. If you work at a bank, maybe. Mm-hmm. Right? But the... You know, whe- wherever this place was, they're gonna say, "I want to change where my check goes. I can't change my deposit." They're not gonna say, "Can you change my ACH?" They're also not gonna confirm, like, effective dates. They'll be like, "Is this from my next check?" They're not gonna say, "Can you confirm the effective date?" The reason why they ask for the effective date is they sent it to a fintech bank. So there's nothing wrong with fintech banks. A lot of people use them. Right? That's like, you know, a SoFi or a Green Dot or, uh, a Chime, right? They're not real banks. They're financial tech companies that have a bank on the back. The reason they do this is because those companies offer a deposit early, right? So if you've ever seen Chime, it says, "Get your check two days early," or whatever. What they're doing is they're seeing the ACH file come in, and the way ACH files work is there's a posting date. They have to post it by that date. They can post it earlier if they want, but most banks don't do that 'cause there's floats and stuff. But the fintech, to compete, say, "All right, well, you'll get your check early." Well, they do this because they want to, you know, attract clients and empl- you know. But scammers do this because it's easier to open an account, and two, if you get it early, you can take the money out before the employee- Before anyone catches this. ... catches you. Right? So in this case, the Friday check day on Thursday, the money was in this account. The scammer took the money out. Got it. Yeah. Friday comes along. By the time, that we reach out to our bank, they're sending files on Monday. It's long gone. The banks are closed. It's done, right? Yup. So I mean, that's why it's really, really important that you wanna do the self-service and that you want to make sure that it is the employee. So if they em- if they email you and they really can't figure it out, call them on the phone.... talk to them in person, say, "Hey, did you really want to change your direct deposit information?" So yeah. I mean, the, we used to get this one a lot, like here. Mm-hmm. Uh, I told this story before, I got one for a partner, like, a week after I started. Um, we haven't really seen it on our end. We used to get it on our, but they started going after the clients now. So, they just... I don't know how they figure it out, they have ISolveS. I think they hack emails and see. Mm-hmm. Um, I don't know. Uh- Once they get into an email, right, you know, if, if there's a, if there's a email from an ISolve that says, like, "Oh, you updated blah, blah, blah." Mm-hmm. They're like, "Okay, this person is part of this organization," that means the whole organization must be using- Yep. ... that. So, you know, it makes perfect sense. Yeah. That leads into the second one, 'cause that's actually what was happening at ISolve and us, and we were trying to stop. So, email hacking's been on the rise. Um, I don't know the reason for that, but that's what they're doing. Like, they're find- they're hacking emails and looking to see where your direct deposit's going to. So, like, I know for mine, like, your check, right? So I know for, for ISolve, when you do a direct deposit or when your check's available, you get an email that says, "Oh, your, your check is now available to view on the mobile app." An email to your private or to your, um- To your private one. Oh, okay. Yeah. Which are far more likely to get hacked. Exactly. So, um, you, you know, you get an email like, "Oh, your check's available to view." You should be viewing it. A lot of people, you know, that are on salary might not look at it. If you're hourly, you might not look at it either. Um, but then they're looking at that, and then they're logging in 'cause they know the URL to log into, and then they know, well, you use your email for your login, right? Mm-hmm. So then, here's the, here's the second part, multifactor authentication. I know it's real annoying for everybody, but here's why you don't want it to be your email. 'Cause if they access your email, now they have access to your multifactor authentication. Mm-hmm. Gotcha. So, we had that here and then we, we stopped. So you can't do multifactor authentication with email anymore. You have to use either text or an authenticator. Because if they have your email, they can get into it, right? Mm-hmm. And so, that's what they're doing. They're getting in, they're saying, "All right, here's a deposit." Now, the second part of this one is they're changing the deposit percentage to 99%. So they'll put in, you know, another fintech account number, but they only changed it to 99%. I don't know why. I think maybe because it, um, you know, it's, uh, if they see a deposit email, right, 'cause the email says, "Hey, your tru- your check went in, direct deposit." Right. You're not... Maybe if you're salaried, they're not necessarily looking at the amounts. So, if you do 99%, they're still getting a small deposit, the scammer's getting most of the check, taking the money out, and they're going. Or that causes more confusion 'cause then you log in and you're like, "Well, I didn't get paid my whole amount. What's going on?" And you have to go to payroll, right? You ask payroll, "Hey, I didn't get my check." Mm-hmm. They look at the check, they go, "Well, yeah you did," and then they're like, "No, I didn't get the whole amount," right? I think it causes more confusion, more back and forth. Um- And that, that confusion delays everything. Delays everything. So I, I think that's why, why they do that part. Um, so, y- you know, that's the thing that we've been seeing. So, on the ISolve side, they wor- worked really hard. There's a, a fraud notification dashboard now, so when we, people change direct deposits, we see it, and there are certain routing numbers for fintechs are flagged. So, if somebody changes their direct deposit to, not to pick on anybody, but to, like, Green Dot, right, it's gonna get tagged like they changed it. So, we have a couple of clients that are like, you know, bigger restaurant, uh, quick service restaurants that they use that service to give their... if they don't have a checking account, they give them a Green Dot card, right? Okay. So we know them, that's probably valid. But what, we, we started calling on those. So, if somebody changed it, we noticed that the person changing it was th- the employee. We'll check the IP address to make sure it's the same one they've always been logging into. If they haven't logged in in a while, we'll call the client, they can confirm this. So, it's gotten a little manual for checking this stuff. Yeah. But it's really just a... And our bank's done really good job too. The bank will flag it too, like, "Hey, this is a new account and it's one of these, you know, fraud ones." Um- Well, it, it, it's questionable, right? Yes. And it makes perfect sense, uh, to, to do that. Yeah. And I actually find it very interesting what you were saying about, hey, there are certain routing numbers that they're flagging, 'cause it's no different than scammers calling your phone, right? Mm-hmm. They know some of these numbers are getting used pretty often now. Right. So... Yeah. And now, this is the part where I'm gonna ask you something that, uh, I, I figure you won't know, 'cause this goes into the crime part that I wanna, I wanna hear about. If they know about these routing numbers, how come they can't get after these people? 'Cause they'd know who would have that money, right? Somebody has to own that bank account. I, I, I- Maybe they're not in the United States I think they're not in the United States. Um, I also think the account probably got shut down, but they open another one with all their information. I, I think it's part of the business model too. If, if you're a larger fintech- Mm-hmm. ... client acquisition's a really important piece. Right? If you haven't m- if you're not revenue strong, you're reporting on users, so it, it's kinda like, like I said, it's whack-a-mole, right? If somebody is in, if somebody's stealing $1,000 every two weeks, you're probably whacking it down and moving forward. It's just the cost of doing business, I guess? I don't know. Um, but from security-wise, right, like, use an authenticator. Hm. Use Google, use Microsoft. Use passkeys on Android and, and, uh, Apple so you're not passing over that information. Try to use the more modern security than just, like, your username and password.Um, passkeys are good because then you can use other passwords. I know a lot of people, it's called daisy chaining, where you use the same password over and over and over again. And if they have your email, your email password, you probably use that on other sites too. So, they're using that to get to your other stuff and they know what it is 'cause they're just reading your emails. Yep. So- And they know if they can get into your emails, they can see all the other stuff that you have access to, so yep. Yeah, it's- I, I completely get it. Yeah. Yeah. An- and that's the thing too, like the, you know, it's great that people that are n- traditionally unbanked can access this stuff, but it does cause fraud, right? So you just gotta, gotta play whack-a-mole. Can't quite shake that. Anything else? Is there anything else you wanna add, uh, to these new fraud schemes? Um, so I would just say that, you know, with, uh, tax season coming up, there's a lot of tax frauds, right? There's a lot of, more IRS calls saying you owe money or, you know, trying to steal your return and stuff. So just be very, very careful. Make sure you're changing your account numbers. Make sure you're changing your passwords. Make sure that you're, you know, you're in a secure server before you, you enter the information in. Self-service as much as possible, you know, and if you get a notification that somebody's trying to hack, like you get your text message, c- call that company and say, "I'm not trying to log in," so. Well, I'll, I'll give you a perfect example, um, I got a text message and then I got a series of them just saying my Coinbase was hacked. Yeah, I got that too. Yep. And I was like, "Oh, I haven't really logged into it." And I just locked the account. So it's locked out of everything. So I'm not worried, but at the same time I was like, "Well, you know, it's better to be safe." And then I'll log in when I get a chance. Yeah, whenever you get a text message, go to the actual app. Yep. Never click on the- Those, those links are- Yep. ... sketch every time. Go to, go to the app. Right. Yep. All right. Thank you so much, Brian. Yeah. Thanks, Mike. You've been listening to Kaizen Time, part of the Blood, Sweat, and Business podcast. If you liked what you heard, subscribe and leave a five-star review. This podcast, has been brought to you by Kaizen CPAs. Plus Advisors, providing advisory and accounting services to help you grow your business. Learn more at kaizencpas.com or email us at bsb@kaizencpas.com.