Payroll Fraud: a growing threat

Payroll fraud is a big business – and your business is the target. Also known as business email compromise, it involves the theft of a business’s money via its payroll system often diverting funds from their intended recipient to another destination.

This type of attack on your business is rapidly increasing in occurrence with the FBI finding a double in identified global losses between May 2018 and June 2019. There were nearly 70,000 reported victims and a loss of over $10 billion dollars in the US alone between 2013 and 2019.

As with most forms of social engineering online, a proper understanding of the problem combined with the right preventative measures can greatly reduce the risk for your business.

Common forms of payroll fraud

W-2 phishing scams, which occur at a high frequency during tax season, is a common form of phishing where an attacker directly contacts a victim or the HR personnel of their employer to gain information such as your full name, address, and social security number. With this information in hand, attackers can sell it to others or use it to file fraudulent tax returns.

Payroll diversion attacks are designed for high-value staff members, often business executives, in order to divert their wages to another location. This form of attack tends to target HR and finance staff with emails that appear to come from employees asking to change or update their direct deposit information.

Threats don’t just exist on the outside of businesses; lax controls around payroll and other finance-related areas within a business can lead to attacks coming from inside.

The Impact of payroll fraud on your business

The Association of Certified Fraud Examiners estimates that 5% of businesses’ annual revenue is lost to these forms of fraud. While that number may seem small, when applied to World Bank estimates of the nominal world GDP of 2019 – about $88 trillion USD, the number is close to $4.5 trillion. The worldwide numbers are scary; payroll fraud’s potential impact on your business is worse and has the potential to close your doors for good. Wages originally destined for your staff need to be paid, often coming from your bottom line. A fraud incident, as painful as it may be for your staff can lead to problems with your business’s reputation and jeopardize both existing and prospective opportunities.

Preventing attacks

Regular audits and assessments of your systems and finance-related workflows, documentation, and schedules help identify vulnerabilities that can be used to successfully execute a payroll fraud attack against your business. Valiant’s IT Assessment process is designed to identify and remediate risks in your technology and can identify weaknesses while simultaneously finding opportunities for growth. Audits of finance-related workflows, documentation, and schedules can identify anomalies and suspicious behavior.

Implementing mail filtering services, such as IronScales, by preventing messages identified as threats from making it to your staff’s mailboxes. IronScales’ combination of human, automation, and machine intelligence reliably identifies messages containing threats, blocking malicious attachments and phishing attempts – including payroll fraud.

Staff training, particularly around security awareness, provides an additional line of defense against payroll fraud and other attacks. Security awareness training, offered to Valiant clients as part of our managed service offering, helps staff identify and properly react to payroll fraud, phishing, and other attempts to gain sensitive information.

As frightening payroll fraud is, it can be prevented. Regular assessments of your business’s technology infrastructure combined with proper security measures and staff training will help prevent your business from becoming a victim of payroll fraud, and we’re here to help. Have questions related to how our managed service and staff training can protect your business? Reach out to a member of our sales team and we’ll show you.

Matt has spent the better part of 2 decades building systems, managing IT departments, and developing websites and applications for the education, publishing, and technical service industries. As an MCSE...

Continue reading

Subscribe to Valiant's Monthly Email Digest

Valiant's monthly email digest is filled with original content written by our staff, tech news, and business insights.