What to Do If Your Organization Is Targeted by Scammers


Criminal opportunists are getting more creative in their scamming techniques. Organization leaders should know what to do if their organization becomes the target of a scam. This post will discuss a new scamming technique targeted at organizations and how an organization should respond if it becomes a victim.

Direct Deposit Scam

In December of 2018, the IRS issued a warning about fake payroll direct deposit emails. IRS calls this kind of business-targeted scam a business email compromise/business email spoofing (BEC/BES). In this kind of scam, criminals pose as employees and request the employer update the employee’s direct deposit bank account number. The new bank account is managed by the criminal. The scam is usually discovered fairly quickly, but generally not before the real employee loses wages.

Organization Response

The IRS advises the public to forward the scam email and file a complaint with the Internet Crime Complaint Center (IC3). This center is monitored by the Federal Bureau of Investigation.

USA.gov is the official website of the United States federal government. It was created to make federal government information and services more accessible to the public. USA.gov advises targets of fraud to file a report with the local police department and the state consumer protection office.

In addition, USA.gov recommends that the public contact the relevant federal agencies based on the type of fraud perpetrated. These federal agencies track fraudulent actions and attempt to use this information to identify trends and fight fraud.

The following, from USA.gov, is a list of other possible next steps to report phishing emails:

  • Forward phishing email to the Federal Trade Commission at spam@uce.gov;
  • File a report with the Federal Trade Commission at FTC.gov/complaint;
  • Report phishing email to the Anti-Phishing Working Group at reportphishing@apwg.org. This group consists of ISPs, security vendors, law enforcement, and financial institutions—all attempting to fight phishing with these reports; and
  • File a report of international scams to International Consumer Protection and Enforcement Network at econsumer.gov.

If your organization experiences this kind of scam, you should follow IRS guidance on how to respond to this kind of phishing scheme. Make a report to the Internet Crime Complaint Center, which is monitored by the FBI, the local police department, and state consumer protection office. Your organization may also wish to make additional reports to other federal agencies listed above. It is optional, but certainly couldn’t hurt. Reporting unlawful activity to authorities helps them combat fraud and protects the organization by showing a good faith effort to report illegal actions taken against the organization and its employee. You may also wish to consult with legal counsel regarding next steps and organizational liability, particularly if employee data was compromised.


Featured Image by Rebecca Sidebotham.

Because of the generality of the information on this site, it may not apply to a given place, time, or set of facts. It is not intended to be legal advice, and should not be acted upon without specific legal advice based on particular situations