{title} icon

Articles From Lumsden McCormick

Protecting Payroll Records From Cybercriminals

No matter the size or industry, most U.S. businesses are vulnerable to cyber attacks, both from the inside and outside the company. Payroll records are among the targeted data. Just imagine the consequences if your company's payroll records were compromised. Workers' personal information could be used to perpetrate identity theft. Bank accounts could be hacked and emptied and the incident could become a public relations disaster.

According to cyber defense company Phishme's Enterprise Phishing Susceptibility Report, more than 90% of cyber attacks are launched through phishing activities. Knowing this, you may actually find it relatively easy to protect your organization's data. The key is to learn about phishing schemes and to educate your employers on how to fend off perpetrators.

Business Email Compromise

Your IT network can be infiltrated in various ways — even by a “mole” in your office. But one of the most common methods hackers use to access payroll records is what's called the business email compromise (BEC) scheme. With a BEC attack, a hacker sets up an email account in the name of one of your employees or managers. Then the hacker uses the account to contact another employee to ask for payroll records or to instruct the worker to click a link that downloads malware. The email looks legitimate, so the recipient is likely to respond.

To avoid BEC schemes, take the following precautions:

  • Maintain and regularly update your cybersecurity software. Most packages provide at least some phishing protection.
  • Require all employees to confirm email requests for confidential data or documents in person. They should never respond to such an email until they've phoned or spoken in person to the supposed sender to confirm its legitimacy.
  • Prohibit employees from downloading attachments or clicking on links contained in an email they can't verify.
  • Require employees to obtain a manager's approval before opening certain files.
  • Make it harder for phishers to access confidential data by using multi-factor authentication. Require workers to use a strong password, plus verify their identities via email or text.

There are variations on the basic BEC scheme. With the “imposter” method, the hacker may pose as the company's CEO or as a trusted advisor, such as lead outside counsel. The cybercriminal might use the right terminology and even official-looking forms to request information. Intimidated by the sender's identity, a rank-and-file employee could decide to accommodate the request without first verifying it.

Weapon or Weakest Link

When it comes to phishing, employees are either your company's most formidable weapon or weakest link. Train new payroll employees about email fraud risks and regularly update and remind longer-tenured workers about phishing threats as they emerge. Make sure they understand that it's better to be cautious and take the time needed to verify an email than to act recklessly simply to get work done quickly.

Formalizing cybersecurity procedures can help guide employees. Create a formal plan for handling confidential information and require every employee to acknowledge it. If employees fail to follow procedures, be sure to discipline them — even if no data is lost. Following through on such matters communicates how seriously you take cybersecurity risks, particularly when it comes to information housed in your accounting department.

Plan For the Best, Prepare for the Worst

Several best practices can help fortify your company's entire IT system. For example:

  • Store backup servers offsite,
  • Block or limit access to nonbusiness websites such as social media platforms,
  • Facilitate strong password protection through software programs and mandate regular password changes,
  • Perform periodic browser history audits on internal communications, and
  • Encourage business associates outside your organization to contact you if they receive suspicious emails purportedly coming from you.  

Even if you take every precaution, there is still the risk that your company's payroll or other business records will be hacked. Make a fraud contingency plan so you'll know what to do if cybercriminals breach your defenses. The plan should specify what needs to be done in the immediate aftermath and who should do it. For example, an owner or CEO might be responsible for working with the IT manager to secure the network. A public relations manager might disseminate information about the incident to internal and external stakeholders. Legal counsel might be needed to meet with law enforcement.

Although it's probably not the first action you need to take after an attack, be sure to report hacks to the FBI Crime Complaint Center at www.ic3.gov. Following a phishing incident, you suspect payroll information might have been stolen and used to perpetrate tax identity theft, notify the IRS at phishing@irs.gov.

Big Prizes Entice

Businesses offer cybercriminals bigger prizes — large cash and data reserves — than most individuals. Hackers are likely to continue targeting companies with phishing scams. Prioritize cybersecurity and train employees to fight potential invaders and you'll reduce this risk.

Protecting Payroll Records From Cybercriminals

for more information

Jill is an expert working with health care and human service organizations including hospitals, nursing homes, diagnostic and treatment centers, mental health service providers, and medical practices; nonprofit organizations; and government-funded entities in the areas of auditing, Single Audit, HUD projects, taxation, information returns, and financial reporting. Jill is integral to our Health Care and Nonprofit services groups managing our larger hospital and human service organization clients. She is the 2020-2021 Regional Executive for the Healthcare Financial Management Association (HFMA) Region 2; she also is a past President of the Western New York Chapter.


Comprehensive. Proactive. Accessible.
How Can We Help?