Digital fraudsters target company payrolls for the same reason the notorious bank robber Willie Sutton robbed banks – “because that’s where the money is.” While payroll has long been the target of various schemes and frauds, today, we are witnessing a marked increase in one particular type of scheme. Here is what employers should know about this new fraud scheme when it comes to payroll security.
This new type of payroll fraud leverages malware that harvests and steals passwords in order to send requests for changes to the person’s direct deposit bank account, otherwise known as Direct Deposit Fraud, or attempt other types of employee spoofing.
The scheme has been startlingly effective and yet the remedy to counteract it is fairly straightforward. It does require a change in the way many of us have come to operate and process payroll and continued vigilance on the part of payroll administrators and HR managers. Overall, leaving your business open to payroll fraud is one of several of the biggest payroll mistakes companies make.
The thief hacks into a person’s email, then reviews the employee’s emails and through that learns where the employee works, who they are, and who pays them. With that information, the hacker can then simply send a request from the compromised email account requesting a change of bank account for direct deposit.
Of course, the new bank account information is the fraudster’s account (typically a “burner” debit card). A careful hacker will then delete the email from the Send folder.
Note that this request for a change of banking information that the payroll administrator receives comes from a legitimate, known email address of a legitimate, known employee. No one knows anything is wrong until payday when the hacked employee doesn’t receive their pay.
The most important businesses can do to prevent payroll fraud is to always independently voice verify any bank account change request (specifically calling out to the person via phone or in person).
Managers should never accept banking or financial instructions via email alone. Unfortunately today, email cannot be trusted as a verified source of instructions from anyone – even if the email address is legitimate and known to you.
Of course, some companies already do not allow such types of requests to be made via email. Those companies are not vulnerable to this type of scheme. Others send notifications to employees through their internal systems any time a change is made to their personal information.
Overall, preventing payroll fraud is just one of many reasons to use a cloud-based payroll solution.
There are many ways that payroll dollars are getting diverted by thieves – other scams and hacks are currently in use as well.
Businesses should always have several lines of defense to protect their data, secure all user credentials, scan their IT environment, and protect against social engineering attempts.
One good place for businesses to start better protecting themselves against things like payroll fraud is with a modern payroll solution. Payroll software, like that available through PayNW, offers a secure cloud-based platform that employers can feel confident in.
To learn more about how PayNW is helping businesses process payroll in a safe and secure way, contact us today.
Or learn more about how PayNW is helping businesses with these processes, such as Washington Payroll.