Beware of Payroll Scammers

A Recent Spike in Fraudulent Requests Should Prompt a Review of Practices


Recently the Onondaga County (NY) District Attorney’s office warned of a payroll scam targeting employers using fraudulent email addresses to have direct deposit information changed from an employee to an account set up by the scammer or from hackers using an employee’s account to redirect their paycheck.

From the DA’s news release, as reported by “These requests may look valid since they often come from the employee’s actual email account which has been compromised, or a spoof email that is designed to appear similar to the user’s email handle (for example, using the number “1” in place of a lowercase “L”). Alternatively, the request may use the appropriate internal organizational forms to change banking information lending the appearance of credibility.”

There are two primary actions that an organization can take to reduce their risk of being caught in scams like these.

Establish procedures

Your organization should have procedures in place for managing transactions like changing direct deposit information, wire transfers, and even address changes. If you aren’t using an employee self service payroll platform you can require employees to make requests to change direct deposit information in writing using an internal form. Verify all requests with the employee before making any changes to someone’s account. Any deviation from established procedure is at least a warning to be vigilant for a scam.

Educate your entire team on secure communications

It’s not enough for the HR manager or payroll administrator to use best practices if employees are susceptible to having their email or a payroll self service account hacked. Require employees to use strong passwords when setting up accounts and to change those passwords on a regular basis. Experian, the credit bureau, offers tips for generating strong passwords. Make sure your employees know the procedures for making a change.

Payroll companies, including HR One, are actively working to protect users as well. For example, HR One Payentry uses two factor authentication before someone can log-in to their account, which requires not only a user ID and password, but then the use of a verification code that is sent to the person’s phone. While sometimes these steps can appear cumbersome, they are well worth the extra few moments to protect your organization and your people.

If you’d like to review your existing practices and policies when it comes to payroll contact us for a consultation.