Payroll Phishing Scams: What to Look For

In addition to the risk of internal fraud, most employers are aware that external cyberattacks are on the rise and can manifest in a variety of ways. The most common and costly type of cybercrime is payroll phishing, which aims to coerce employees (particularly payroll staff) into providing sensitive company or employee information, especially information related to login credentials and bank accounts. Although the methods cybercriminals use to infiltrate payroll systems can be convincing and sophisticated, there are a number of steps you and your employees can take to protect your company, minimize the risk of an incident, and respond promptly should an incident occur.

In this article, we’ll explore some of the most common scams used by cybercriminals, and offer best practices on how to spot them and safeguard your company against cyberattacks.

Common Payroll Phishing Scams

Although the “end goal” of phishing scams can vary, in most cases cybercriminals aim to gain access to direct deposit details so that deposits will be made to an account that is in the cybercriminal’s control. Cybercriminals also initiate scams to do the following:

• Acquire W-2s or W-2 information to illegally file a tax return and collect tax refunds 
• Start a wire transfer and direct it to a bank account that is in the cybercriminal’s control
• Inflict financial or reputational damage on a business or individual employee

How the Process Works

Most cybercriminals capitalize on business email compromise (BEC) to successfully gather sensitive information from a company employee or payroll manager. They often begin by illegally hacking a business’ email domain (an easier step to accomplish if the company doesn’t use multi-factor authentication). Often using a “look-alike” email account associated with an actual employee, they send an email to a payroll manager, HR employee, or another relevant staff member requesting a payroll change to ensure that a payment is directed into the correct account (one that the cybercriminal controls). The cybercriminal will likely use social engineering tactics to create a sense of urgency, concern, or guilt on the part of the recipient, whether it’s suggesting that a late payment will impact their financial well-being or otherwise. If the recipient changes any payroll details as requested, funds will be sent to the account controlled by the cybercriminal and the entire payroll system is subsequently exposed to the threat.

In another common scam, a cybercriminal sends an email to an employee (from the business’ email domain), requesting a needed e-signature or answers to business-related survey questions. Usually, the recipient is directed to click a link and, upon redirection, is prompted to verify their identity by entering their login credentials. Sometimes the recipient is asked to provide an updated password as well as their existing login credentials. In either case, if the credentials are secured, the cybercriminal can then gain access to the company’s payroll system, acquire more information, change account information, redirect direct deposits to their own controlled account(s), and even repeat the process with other employees.

Best Practices to Safeguard Your Business and Employees

Whether your business has already experienced a payroll phishing scam or you’d like to protect your business and employees against potential threats in the future, there are a number of proven measures you can take:

• Offer periodic and targeted training to your employees (especially those in payroll and HR) regarding the threat of cyberattacks, including cybercriminal tactics and common phishing scenarios.
• Take measures to ensure that your business’ payroll protocols are not publicly available. When this information is accessible to those outside of your business, it can be leveraged to create a convincing phishing scam that exploits your employees.
• Develop a thorough internal process for verifying an employee’s payroll change request. This minimizes the likelihood of social engineering tactics working effectively on an unsuspecting employee.
• Instruct your employees to alert HR or IT regarding any suspicious emails, especially those that request login credentials, sensitive personal information, etc. 
• Utilize multi-factor authentication across your business’ email accounts/domain, as well as secure email gateway (SEG) software.
• Instruct your employees not to provide their SSN, login credentials, bank account details, or other sensitive information via email or phone. Institute clear company procedures for updating and processing this information.
• Ensure that employee login information for your payroll system differs from other login credentials (for email, other software, etc.).

Protect Your Business and Optimize Payroll with the Orsus Group

Cybercriminals are constantly updating their methods to execute payroll phishing scams that cause large financial losses and reputational damage to businesses of all sizes. The Orsus Group offers comprehensive HR consulting that keeps your business protected, your information safe, and your policies and training in alignment with your security and privacy goals. To complement our services, our partner company, Cello HR offers an intuitive, encrypted, and employee-friendly payroll platform that mitigates the risk of cyberattacks while keeping your payroll timely and efficient for your employees.

Contact us today to enjoy secure and streamlined payroll that keeps your business and employees safe.