It’s National Cybersecurity Awareness Month, and one of the most critical threats for small businesses to be aware of is payroll phishing fraud. Phishing, at its core, is a kind of scam that involves using email, phone or some other means of communication to trick someone into submitting their personal information and then exploiting it. One important thing to know about payroll phishing scams is they are often advanced — meaning, to carry out payroll fraud, scammers will go to great lengths to gather specific details about employees in order to be able to successfully masquerade as them, even sometimes compromising their accounts in advance.
Because of this, it can be hard to identify illicit requests because they look so legitimate. So, what can small businesses do to avoid falling victim to payroll scams? In this piece, with the help of phishing expert Jim Kilmer, co-founder and division director of the Technology Services division of the Opal Group, we break down what kinds of phishing scams to be aware of, and some measures you can take to
prevent your company from being scammed.
- Know what to look out for
The two most common types of payroll scams you’re going to encounter at the company level are: direct deposit and W2 fraud. With direct deposit fraud, a scammer will contact HR, pretending to be an employee, and try to convince them to change “their” direct deposit information, or log onto an employee’s account if they’ve managed to get their username and password, and attempt to change the direct deposit information firsthand. When scammers call HR, they often try to convey a sense of urgency or call 24 hours before payroll is due, inventing sob stories designed to procure sympathy. Even though you want to be helpful, it’s more important to verify that a request is valid before you move forward.
W2 fraud tends to happen during tax season, and it’s a problem that is rampant and growing. It’s a scam in which hackers contact companies to get W2 information so they can file fraudulent tax returns. The way it works is scammers (again, pretending to be an employee) claim they never received “their” W2, or they forgot to mention that they moved, then requesting a copy of the W2 be sent to their “new” address or P.O. box. Anything having to do with W2s — asking for it to be sent to a different place, or for secondary copies — should be scrutinized and verified.
- Know who you’re dealing with
We touched on this a bit above regarding direct deposit and tax scams, but this tip is universal. Regardless of what kind of phishing it is, this is an important rule in prevention. “The catchphrase in the industry is, ‘trust but verify,’” Kilmer says. If someone sends you an unsolicited request to change something about their personal or financial information, verify that they want this done before taking action. Ideally, you should use a separate channel for verifying than the one they used to contact you. In other words, if someone reaches out by email, call them back or stop by their desk to confirm it was actually them requesting the update.
- Train your employees on best practices to prevent phishing
Employers should train everyone at the company — perhaps offering quarterly phishing training — and establish rules and procedures for how to handle unsolicited or suspicious information requests. “If you set procedures in place and follow them, you’re not going to fall victim to a payroll scam, or frankly any other type of financial scam,” Kilmer says. “It’s about having a [verification] process, following the process and not falling victim to urgency scams by shortcutting your process whenever you receive a request to change sensitive information.”
- Remove the names of HR employees from your company website
As we know, scammers try to target specific people in companies, often HR employees for obvious reasons. Rather than make it easy for them, Kilmer recommends not listing your HR employees on your website. And while you’re at it, consider refraining from including your other employees’ contact information on your website, too. It doesn’t mean scammers will never be able to find it, but if you make it that much harder, you have a better chance of discouraging hackers from going after your employees to begin with. As Kilmer reaffirms, by providing their information, “you’re just giving the bad guys the ammunition they need to more effectively scam you.”
Payroll phishing scams are going to happen “any time of day, any day of the week, all year long,” says Kilmer. “All you can do is be prepared.”
Copyright 2019
