Payroll Fraud: A Growing BEC Threat to Businesses and Employees Alike
1 Star2 Stars3 Stars4 Stars5 Stars (1 votes, average: 5.00 out of 5)
Loading...

Payroll Fraud: A Growing BEC Threat to Businesses and Employees Alike

The FBI reports that direct deposit change requests increased more than 815% in 1.5 years

Note: This article, which was originally published in 2019, has been updated to include related news & media resources.

$8.3 million.

This number represents the total reported losses due to payroll diversion schemes that were reported to the FBI’s Internet Crime Complaint Center (IC3) between Jan. 1, 2018 and June 30, 2019. This form of payroll fraud also sometimes falls under the category of business email compromise (BEC) scams because the criminals commit these crimes using email as their method of choice.

Payroll fraud is a major — and often overlooked — threat to businesses and their employees. The FBI’s data indicates that the average dollar loss reported per complaint was $7,904. But again, these numbers just include the reported losses — they don’t include those that haven’t been reported or have yet to be discovered.

But what exactly is payroll fraud or a payroll diversion scam? And why are these types of fraud a growing issue for businesses and employees alike?

Let’s hash it out.

6 Types of Payroll Fraud Causing Headaches

What’s payroll fraud? Well, the answer depends on whom you ask. Many people define it differently. In the most general terms, payroll fraud is any type of fraud that involves the theft of a company’s money using the payroll system. Payroll fraud often targets people who work in human resources, payroll, finance, as well as tax professionals.

Much like donuts, payroll fraud comes in multiple flavors. Payroll fraud can

  • Come from the top (the employers themselves perform the fraud),
  • Intentionally/unintentionally involve employees, or
  • Be committed by other third parties.

Let’s look at each of these categories more in depth.

Employer Payroll Fraud

We’ll start by discussing a type of payroll fraud that’s committed by employers (corporations, organizations, etc.) themselves: worker misclassification.

This type of crime involves a company or supervisor intentionally misclassifying employees to avoid workplace laws and paying certain costs (such as payroll taxes and workers’ compensation insurance). This illegal practice often involves classifying employees as independent contractors instead of employees. This deprives the employees of their right and protections under the law.

A study by Harvard University shows that 17 of the surveyed states report having laws that specifically address and/or establish penalties for misclassifying employees. And in some states, such as Alaska, misclassifying a worker is both a civil and criminal liability. Some will impose financial penalties against organizations that intentionally and knowingly misclassify a worker as an independent contractor.

Now, we’re not here to discuss the rights and wrongs of these types of practices by businesses and organizations. We’re just trying to shed some light on the different types of payroll fraud that exist — both those that relate and don’t necessarily relate to the cyber security industry in particular. But, let’s move on to our second category of payroll fraud — the types of payroll scams that involve an organization’s employees doing bad things on their own.

Employee Payroll Scams

These types of scams involve everything from simply changing payment information to creating entire false employee profiles. Here are three of the most common types of employee payroll fraud:

  • Ghost Employees. This type of scam involves an employee with access to the payroll system creating a fake employee profile. This “ghost” employee receives direct deposit payments for work that is not completed.
  • Pay Rate Alteration. This type of payroll scam involves an employee colluding with a member of human resources or finance to get their hourly pay rate fraudulently changed to a higher amount.
  • Timesheet Fraud. This type of fraud involves an employee adding unauthorized hours to their timesheets to pad the hours they work. Often done in small increments — 15 minutes here or 30 minutes there — this type of fraud may go unnoticed by overwhelmed supervisors. 

Although timesheet fraud can occur by accident — should an employee simply forgetting to clock out at lunch or at the end of their workday — there are cases in which employees intentionally neglect to clock out to rack up hours for time they don’t work. This is the difference between being involved in an accidental situation and committing an intentional crime.

Third Party Payroll Fraud – How Phishers Are Stealing Payroll Funds

80 Eye-Opening Cyber Security Statistics for 2019

This third and final category of payroll fraud is one that’s of particular interest to us. Third-party payroll scams, more specifically W2 scams and payroll diversion schemes, are often committed by unrelated third parties who use phishing tactics while targeting payroll or human resources personnel.

The first tactic is used to get the victim to provide sensitive personal and/or financial information. The second aims to get them to transfer money.

Either way, both forms of phishing have a single overarching goal: to get the intended victim to perform some type of action through the use of social engineering tactics.  

W-2 Phishing Scams

This is the type of tactic you often read about just before the start of tax season. This type of crime occurs when a cybercriminal attempts to gain access to another person’s W-2 information — including their name, address, Social Security number, income, and withholdings — so they can either sell it or use it to file fraudulent tax returns. They can do this by contacting victims directly or by reaching out to companies HR or payroll personnel to get this information for their organizations’ workforces.

Payroll Diversion Scams

This type of direct deposit scam involves a criminal sending an email to an employee in an organization’s payroll, HR or finance department. The email is designed to look like it’s coming from an employee — often an executive — and asks the target to update or change their direct deposit payroll information. They provide new bank account and routing information to an account that the criminal controls.

However, payroll diversion scams don’t always involve a criminal reaching out to payroll or HR. Other methods of payroll diversion schemes involve the criminals either:

  • hacking into the payroll system itself, or
  • using phishing emails to gain login information from the victims that the attackers can use to access their payroll systems or payroll information.

With both W-2 and payroll diversion fraud, the employees — and their employers — are often on the losing end of these situations.

Both types of schemes can also technically fall under the category of employee payroll fraud because dishonest employees can simply do the same actions to benefit themselves and don’t necessarily require a third-party accomplice. However, they’re becoming common tactics used by cybercriminals who are unrelated to the company and simply want to make a quick buck.

If only these criminals took all of their creativity and determination and applied those traits to things that would be both productive and beneficial for society…

If only.

With all of this in mind, what does a payroll diversion scam look like?

A Real-World Example of a Payroll Diversion Scheme

At The SSL Store, we’re no strangers to phishing emails and tactics. In fact, we receive many emails from people pretending to be our CEO and vice presidents. We also receive phishing emails targeting members of our customer experience team in more personal contexts.

Some of these phishing emails include payroll fraud tactics. Take a look at the payroll diversion scheme email that our office manager (Nellie) received just a couple of months ago from someone posing as one of our vice presidents, Kyle:

If Nellie was in a rush or wasn’t paying full attention when going through her inbox, she may not have noticed one small yet important detail on the email: the “from” address field. Paying attention to this component is key for detecting whether an email is legitimate. If she simply looked at the sender’s display name in her inbox without checking the email address itself when she opened the email, she may not have noticed that the email came from “cf90910@cox.net” instead of Kyle’s official thesslstore.com email account.

Thankfully, Nellie is educated on cyber security best practices and how to recognize phishing emails. This is why employee cyber awareness training is so crucial to the safety and financial security of organizations.    

Why Payroll Diversion Schemes and W2 Scams Are Such a Big Deal

Still not convinced that payroll fraud — or, more specifically, a payroll diversion scam — is a big deal? Let’s paint a more detailed picture to provide some clarity.

It’s Monday morning and your human resources team is playing catch-up with the emails from over the weekend. Among the many messages that Michael, the payroll administrator, received is an email request from Bob in marketing. The email states that Bob just signed up for a new bank account with a new bank, and he wants to transfer his payroll direct deposit from his existing account to the new one.

Sure, no problem.

As the efficient employee you hired him to be, Michael immediately sets to updating Bob’s payroll information to reflect the change in his account. After all, he wants to ensure that Bob’s next bi-weekly paycheck is sent to the new account without delay. Once the update is made, Michael sends a response email to Bob to confirm the change. Bob thanks him, and that’s seemingly the end of it.

Fast forward a month, and Bob sends another email to the human resources team. This time, he is inquiring about why he has not received his last two paychecks. Figuring there must have been a mistake with the account number, Michael goes back and verifies the account information with the information Bob’s first email included. The account information matches, but something else doesn’t: the “from” field of the email address. Although the email appears to be from “Bob Matthews,” the actual email address is from an unrelated Yahoo account (surferdudesr0xi0rs@yahoo.com).

Cue the pit that’s forming in Michael’s stomach — and yours.

When Michael reaches out to the bank to reverse the payments, he’s told that it’s too late: the new account that the two paychecks were sent to is closed, and the money — as well as the criminal who stole it — is long gone.

What All of This Means for Your Organization

The Association of Certified Fraud Examiners (ACFE) estimates that 5% of businesses’ annual revenue is lost to employee fraud and abuse. While this may sound relatively minor, consider this:

“While this number is only a general estimate based on the opinions of the CFEs who took part in our study, it represents the collective observations of more than 2,000 anti-fraud experts who together have investigated hundreds of thousands of fraud cases. To place their estimate in context, if the 5% loss estimate were applied to the 2017 estimated Gross World Product of USD 79.6 trillion, it would result in a projected total global fraud loss of nearly USD 4 trillion.”

Now, we’re talking about potentially substantial financial losses. But it doesn’t stop there. In the case of the payroll diversion scenario we described, not only is your company now out the money that was stolen, but now you also need to pay Bob for the paychecks he never received. Furthermore, your company may suffer reputational damage as a result with other employees and prospective employees if word gets out about the incident. Not to mention, you may have to deal with any legal issues and fines that may result from the situation.

Now, imagine if this type of scenario happened on a much larger scale, involving several — or, worse, all of your employees. Not only would it be a logistical, financial, and reputational nightmare, but it could potentially put you out of business if you don’t plan and prepare for such a situation.  

Examples of Recent Payroll Diversion Scams

Earlier this year, nearly half a million dollars was diverted from the payroll of employees who work in Tallahassee, Florida. In this case, the cybercriminals who performed the attack actually hacked into the city’s direct deposit payroll system.

In Butler County, Ohio, several local government offices were repeatedly targeted by payroll scammers. Some employees’ direct deposits were changed to fraudulent accounts, and multiple duplicated checks worth more than $7,000 each were generated by the scammers as well.

The biggest case to occur recently, however, involves MyPayrollHR, a now-defunct cloud payroll provider based out of New York. The company’s CEO, Michael T. Mann, was arrested and charged with bank fraud. He reportedly admits to stealing an estimated $70 million in payroll and tax deposits from customers.

How You Can Prevent Payroll Fraud and Phishing Payroll Scams

When it comes to preventing or combatting the most common types of payroll fraud, strict policies, meticulous audits, and diligent management play important roles. Another thing that also has a major impact is mandatory regular cyber awareness training for employees.  

  • Conduct Regular Assessments and Audits. These evaluations should include cyber and fraud risk assessments, and audits of financial documents and employee schedules. The first will help you to identify any potential vulnerabilities that need to be addressed. The second helps you to identify any potential anomalies that could be the result of fraud.  
  • Evaluate Your Payroll Information Update Processes and Internal Controls. How are changes to payroll currently made within your organization? Carefully review and adjust your existing processes to ensure that they are most effective. Make it mandatory that before any direct deposit is changed, that the requesting employee is contacted directly using an official communication method. Don’t respond to the requesting email or call any phone number provided in the email message. Instead, call the employee using the number listed in your organization’s internal employee directory.
  • Implement Email Security Measures. Use software, spam and phishing filters that automatically scans emails and email addresses for spam and “spoofing” emails.
  • Implement a Policy of Least Privilege. Only allow access to sensitive systems (such as payroll and personnel records) to those who need it to perform their jobs. Regularly review and update the access controls to ensure that the access information is current. 
  • Make Employee Training Mandatory. Employee needs to be held regularly to keep the information fresh in employees’ minds. It should cover security and cyber awareness training. These types of trainings help employees learn to recognize and react appropriately to phishing and spoofing emails, as well as other email and phone fraud schemes.
  • Review Documents to Stay Informed. Take the time to regularly review all financial statements for any unusual activity.
  • Segregate Financial Duties. No one person should have control over all aspects of a company’s finances. Not only is such a practice bad from a logistics standpoint — what happens if that individual is in an accident? — but it’s also bad from a risk standpoint. Think of it like the protocols and systems in place to protect U.S. nuclear weapons. There’s a reason why the keys and codes to nuclear weapons are controlled by multiple people: to provide a failsafe so that no one person has complete control over arming and launching the weapons.
  • Email Signing and Personal Authentication Certificates. Email signing certificates are a way to help your employees confirm the identity of an email sender as well as protect the integrity of the messages they send through the use of email encryption. Also known as S/MIME certificates, these email signing certificates to help employees verify whether the emails they receive are legitimate and were actually sent by their colleagues.  

As criminals become more creative, it’s up to all of us to become more vigilant. It’s crucial to not only stay informed but to also be prepared for the worst by having mechanisms and protocols in place to aid in both response and recovery from such incidents — no matter how big or small.  

As always, leave any comments or questions below…

Recent Related News

Updated on March 25, 2021

Author

Casey Crane

Casey Crane is a regular contributor to and managing editor of Hashed Out. She has more than 15 years of experience in journalism and writing, including crime analysis and IT security. Casey also serves as the Content Manager at The SSL Store.