The execution is simple enough. All a hacker needs is the same information as what they get when they steal a person's identity. Armed with a target's email address and banking information, all a hacker has to do (in most cases) is send a formal request to HR, explaining that the target has a new bank account and asking that the paycheck be sent to the details provided.
It all seems legit to the HR personnel receiving the request, because all of the information is accurate. In a growing number of cases, nobody even thinks to check or confirm that the switch has been authorized by the employee in question.
One of the researchers who has been following the growth in popularity of this approach had this to say about guarding against it:
"If a two-factor online system is not being used, we recommend ensuring an element of human contact is established before completion of the request, in addition to checking that the email address is from a legitimate source."
How big a problem is this type of thing?
According to the latest FBI statistics, between October 2013 and May 2018, businesses suffered total losses estimated at more than $12 billion, worldwide. If that doesn't get your attention, few things will. This is a large and growing problem, but thankfully, it's one that can be easily fixed by putting a few additional common sense safeguards in place.