Avoiding Payroll Fraud

July 19th, 2019

Article Image

What would you do if you received an email from an employee asking you to change his/her payroll information?  If you are the person responsible for such tasks, you may complete the request without a second thought. However, payroll impersonation and redirection fraud is commonplace today, but there are ways to help identify and prevent it.

How it Happens

In some instances, the cybercriminal targets the email accounts of employees by sending phishing emails looking for an employee’s payroll credentials. The scammer then accesses the employee’s account and changes the bank account information to an account controlled by the fraudster. Another technique is to spoof the employee email address and change where the email is sent when it is replied to. The fraudster will then email the employee within an organization responsible for payroll, asking them to change the employee’s bank information. Compromises are not limited to email. They can also come via phone calls, fax, or mailed letters.  Other tactics include social engineering, identity theft, and the use of malware.

Identifying & Preventing Fraud

It’s important to educate your employees processing payroll to recognize and question changes in bank information, requests for secrecy, or pressure to act quickly or outside of policy. Here are some tips:

  • Establish a payroll change process that requires independent authentication of changes to payment instructions.  Either a phone call, face-to-face, or multi-person process is best.  Consider validating the new information by sending Automated Clearing House (ACH) pre-notification transactions.
  • Look closely to verify the email address when you receive a payroll change request. Check for any spelling errors or missing letters.
  • Do not reply to a message requesting a payroll information change. Instead, use the “forward” option and type the correct email address or select it from a known address book. 
  • Train all employees to watch for phishing attacks and malware links and immediately report suspicious activity.
  • Employer self-service platforms should authenticate requests to change payment information using previously known contact information, re-authenticate users accessing the system from unknown devices, and include alerts for administrators when unusual activity occurs.

If you think a request is suspicious in any way, trust your instincts and immediately contact your employee and your financial institution. As fraud continues to grow and evolve, you, your employees, and solid internal controls are the key to guarding against payroll fraud and other cybercrimes.