Direct deposit problem stemmed from data breach: What went wrong?

Paying employees by direct deposit is convenient for all involved. But a recent court case is a reminder that funds could end up in cybercrooks’ bank accounts.

Cybercriminals will seek out any point of weakness. So, continually safeguarding systems and keeping employees informed is essential for businesses.

Here’s what went wrong for one employer, a healthcare entity.

Using employee self-service portal

The employer had a human resources information system (HRIS), which contained an employee self-service portal (ESSP). Employees accessed the portal to input data, such as bank account information for direct deposit purposes.

After a phishing email went out to hundreds of employees, the direct deposit problems surfaced. Scammers had been able to switch the bank account information of about a dozen employees, with the goal of fraudulently receiving their paychecks.

One employee, a doctor, got hit hard when her biweekly paycheck in the amount of $8,432.98 went into the cybercriminals’ account.

By stealing the username and password she needed to log in to the ESSP, they changed the financial institution that received her direct deposit on payday.

The hospital reported the incident to the FBI and its own bank.

But only a small portion of the doctor’s wages was recovered – $79.65.

The predicament led to a lawsuit, with the employee claiming the employer had violated the state’s wage payment laws. After all, she didn’t receive her wages on payday.

The Supreme Judicial Court of Maine agreed, ruling in the employee’s favor.

Setting up new hires for direct deposit

The employer had been diligent when it brought the doctor on board as a new hire.

For example, the hospital stressed to her that she should use caution with her username and password.

Plus, she had to sign a direct deposit authorization form, giving permission for her employer to deposit her wages into the bank account she designated.

You may take these steps and may have other practices such as asking new hires to fill out an electronic version on Form W-4.

One key to successful electronic interactions and protecting your HRIS? Verifying that you’re dealing with the employee and not a scammer. If an employee reaches out to you through one channel, you may decide to communicate through an alternative channel.

And remember, while properly setting up employees for direct deposit is important, so is having procedures in place for them to safely make changes.