Protecting your business from payroll fraud risks

Payroll Fraud Risks

Since COVID, cyber and social engineering attacks have increased by multitudes, and with AI now available at everyone’s disposal, the risks to our companies from bad actors are rampant.

As a payroll company, we provide services to hundreds of NH employers who pay thousands of employees each week. Here are a few first hand examples from the field, of payroll fraud attempts from outside actors.

With 2025 on the horizon, now is the perfect time to enhance existing and adopting new policies and procedures to minimize your risk.

Business Email Compromise – Example 1

Internal Email Requesting Bank Account Change

In this example, the Payroll Manager receives what appears to be an email from someone on staff, usually a high level executive or owner. The email includes instruction regarding a new bank account number/routing number that needs to be updated (usually with urgency) in the payroll system.  The payroll manager submits a change request to the payroll company, or logs in to the online payroll system and makes the change directly. The problem is not identified until the following pay date, when the Payroll Manager is contacted by the executive because their paycheck did not get direct deposited into their bank account as expected. By the time this type of business email compromise is exposed (after the finalization of the affected payroll), it is often too late to recover the lost money.

Business Email Compromise – Example 2

Hacked Email System + Social Engineering

This scenario is a bit more sophisticated, where the bad actors hack into the email system, and do nothing, initially. They wait and watch to see how the staff interact with each other via email regarding payroll related items and observed how the customer interacts with payroll company.

In our example, the bad actor eventually decided to take action, by sending an email directly to Checkmate from the email account of the Payroll Manager, requesting that 2 new contractors be added to the current payroll. The sender used the same cadence and informal language as we were used to seeing from our client. We had no reason to question the email itself, until we replied to verify that they would be happy with live checks, since it was a last minute request. Once they replied, requesting that the direct deposit be pushed through despite the timing, we called our point of contact, who had no idea what we were talking about.

Key Takeaways:

  • Never act directly and solely upon instruction provided via email on any request that will impact how much someone gets paid or where their monies will be deposited.

 

  • If you utilize a 3rd party for payroll processing or similar financial services, expect this partner to enforce security protocols that are at least as stringent as your own.

 

  • Ensure that any 3rd party systems that you allow employees to access to view their pay statements, W2s, etc. requires the use of Multi-Factor Authentication.

 

  • Consider adopting the ability for your employees to submit change requests (with automated workflows) for Direct Deposit changes etc., via your online payroll system.

 

  • Make sure that you understand specifically how and when the information that you submit to your payroll provider might be questioned and how that provider’s internal controls can be utilized by you to further enhance your own payroll fraud risk prevention strategies.

While the threats from outside actors are numerous, risks can be minimized. Your best protection can be achieved with standardized, consistently executed internal policies and procedures complimented by well implemented technology solutions and employees who are attuned to the risks.