Payroll Fraud: A Growing BEC Threat to Businesses and Employees Alike

The FBI reports that direct deposit change requests increased more than
815% in 1.5 years

$8.3 million.

This number represents the total reported losses due to payroll diversion schemes that were reported to the FBI’s Internet Crime Complaint Center (IC3) between Jan. 1, 2018 and June 30, 2019. This form of payroll fraud also sometimes falls under the category of business email compromise (BEC) scams because the criminals commit these crimes using email as their method of choice.

Payroll fraud is a major — and often overlooked — threat to
businesses and their employees. The FBI’s data indicates that the average
dollar loss reported per complaint was $7,904. But again, these numbers just
include the reported losses — they don’t include those that haven’t been
reported or have yet to be discovered.

But what exactly is payroll fraud or a payroll diversion
scam? And why are these types of fraud a growing issue for businesses and
employees alike?

Let’s hash it out.

6 Types of Payroll Fraud Causing Headaches

What’s payroll fraud? Well, the answer depends on whom you
ask. Many people define it differently. In the most general terms, payroll
fraud is any type of fraud that involves the theft of a company’s money using
the payroll system. Payroll fraud often targets people who work in human
resources, payroll, finance, as well as tax professionals.

Much like donuts, payroll fraud comes in multiple flavors. Payroll
fraud can

  • Come from the top (the employers themselves
    perform the fraud),
  • Intentionally/unintentionally involve employees,
  • Be committed by other third parties.

Let’s look at each of these categories more in depth.

Employer Payroll Fraud

We’ll start by discussing a type of payroll fraud that’s committed
by employers (corporations, organizations, etc.) themselves: worker

This type of crime involves a company or supervisor
intentionally misclassifying employees to avoid workplace laws and paying
certain costs (such as payroll taxes and workers’ compensation insurance). This
illegal practice often involves classifying employees as independent
contractors instead of employees. This deprives the employees of their right
and protections under the law.

by Harvard University shows that 17 of the surveyed states report
having laws that specifically address and/or establish penalties for
misclassifying employees. And in some states, such as Alaska, misclassifying a
worker is both a civil and criminal liability. Some will impose financial
penalties against organizations that intentionally and knowingly misclassify a
worker as an independent contractor.

Now, we’re not here to discuss the rights and wrongs of
these types of practices by businesses and organizations. We’re just trying to
shed some light on the different types of payroll fraud that exist — both those
that relate and don’t necessarily relate to the cyber security industry in
particular. But, let’s move on to our second category of payroll fraud — the
types of payroll scams that involve an organization’s employees doing bad
things on their own.

Employee Payroll Scams

These types of scams involve everything from simply changing
payment information to creating entire false employee profiles. Here are three
of the most common types of employee payroll fraud:

  • Ghost Employees. This type of scam
    involves an employee with access to the payroll system creating a fake employee
    profile. This “ghost” employee receives direct deposit payments for work that
    is not completed.
  • Pay Rate Alteration. This type of payroll
    scam involves an employee colluding with a member of human resources or finance
    to get their hourly pay rate fraudulently changed to a higher amount.
  • Timesheet Fraud. This type of fraud
    involves an employee adding unauthorized hours to their timesheets to pad the
    hours they work. Often done in small increments — 15 minutes here or 30 minutes
    there — this type of fraud may go unnoticed by overwhelmed supervisors. 

Although timesheet fraud can occur by accident — should an
employee simply forgetting to clock out at lunch or at the end of their workday
— there are cases in which employees intentionally neglect to clock out to rack
up hours for time they don’t work. This is the difference between being
involved in an accidental situation and committing an intentional crime.

Third Party Payroll Fraud – How Phishers Are Stealing Payroll Funds

80 Eye-Opening Cyber Security Statistics for 2019

This third and final category of payroll fraud is one that’s
of particular interest to us. Third-party payroll scams, more specifically W2
scams and payroll diversion schemes, are often committed by unrelated third
parties who use phishing
while targeting payroll or human resources personnel.

The first tactic is used to get the victim to provide
sensitive personal and/or financial information. The second aims to get them to
transfer money.

Either way, both forms of phishing have a single overarching goal: to get the intended victim to perform some type of action through the use of social engineering tactics.  

W-2 Phishing Scams

This is the type of tactic you often read about just before
the start of tax season. This type of crime occurs when a cybercriminal
attempts to gain access to another person’s W-2 information — including their name,
address, Social Security number, income, and withholdings — so they can either
sell it or use it to file fraudulent tax returns. They can do this by contacting
victims directly or by reaching out to companies HR or payroll personnel to get
this information for their organizations’ workforces.

Payroll Diversion Scams

This type of direct
deposit scam
involves a criminal sending an email to an employee in an
organization’s payroll, HR or finance department. The email is designed to look
like it’s coming from an employee — often an executive — and asks the target to
update or change their direct deposit payroll information. They provide new
bank account and routing information to an account that the criminal controls.

However, payroll diversion scams don’t always involve a
criminal reaching out to payroll or HR. Other methods of payroll diversion
schemes involve the criminals either:

  • hacking into the payroll system itself, or
  • using phishing emails to gain login information
    from the victims that the attackers can use to access their payroll systems or
    payroll information.

With both W-2 and payroll diversion fraud, the employees —
and their employers — are often on the losing end of these situations.

Both types of schemes can also technically fall under the category
of employee payroll fraud because dishonest employees can simply do the same
actions to benefit themselves and don’t necessarily require a third-party
accomplice. However, they’re becoming common tactics used by cybercriminals who
are unrelated to the company and simply want to make a quick buck.

If only these criminals took all of their creativity and
determination and applied those traits to things that would be both productive
and beneficial for society…

If only.

With all of this in mind, what does a payroll diversion scam
look like?

A Real-World Example of a Payroll Diversion Scheme

At The SSL Store, we’re no strangers to phishing emails and
tactics. In fact, we receive many emails from people pretending to be our CEO
and vice presidents. We also receive phishing emails targeting members of our
customer experience team in more personal contexts.

Some of these phishing emails include payroll fraud tactics.
Take a look at the payroll diversion scheme email that our office manager
(Nellie) received just a couple of months ago from someone posing as one of our
vice presidents, Kyle:

If Nellie was in a rush or wasn’t paying full attention when
going through her inbox, she may not have noticed one small yet important
detail on the email: the “from” address field. Paying attention to this
component is key for detecting whether an email is legitimate. If she simply
looked at the sender’s display name in her inbox without checking the email
address itself when she opened the email, she may not have noticed that the
email came from “[email protected]” instead of Kyle’s official
email account.

Thankfully, Nellie is educated on cyber security best practices
and how to recognize phishing emails. This is why employee cyber awareness
training is so crucial to the safety and financial security of

Why Payroll Diversion Schemes and W2 Scams Are Such a Big Deal

Still not convinced that payroll fraud — or, more
specifically, a payroll diversion scam — is a big deal? Let’s paint a more detailed
picture to provide some clarity.

It’s Monday morning and your human resources team is playing
catch-up with the emails from over the weekend. Among the many messages that
Michael, the payroll administrator, received is an email request from Bob in marketing.
The email states that Bob just signed up for a new bank account with a new
bank, and he wants to transfer his payroll direct deposit from his existing
account to the new one.

Sure, no problem.

As the efficient employee you hired him to be, Michael
immediately sets to updating Bob’s payroll information to reflect the change in
his account. After all, he wants to ensure that Bob’s next bi-weekly paycheck is
sent to the new account without delay. Once the update is made, Michael sends a
response email to Bob to confirm the change. Bob thanks him, and that’s
seemingly the end of it.

Fast forward a month, and Bob sends another email to the
human resources team. This time, he is inquiring about why he has not received
his last two paychecks. Figuring there must have been a mistake with the account
number, Michael goes back and verifies the account information with the
information Bob’s first email included. The account information matches, but
something else doesn’t: the “from” field of the email address. Although the
email appears to be from “Bob Matthews,” the actual email address is from an
unrelated Yahoo account ([email protected]).

Cue the pit that’s forming in Michael’s stomach — and yours.

When Michael reaches out to the bank to reverse the payments,
he’s told that it’s too late: the new account that the two paychecks were sent
to is closed, and the money — as well as the criminal who stole it — is long

What All of This Means for Your Organization

The Association of Certified Fraud Examiners (ACFE) estimates that 5% of businesses’ annual revenue is lost to employee fraud and abuse. While this may sound relatively minor, consider this:

“While this number is only a general estimate based on the opinions of the CFEs who took part in our study, it represents the collective observations of more than 2,000 anti-fraud experts who together have investigated hundreds of thousands of fraud cases. To place their estimate in context, if the 5% loss estimate were applied to the 2017 estimated Gross World Product of USD 79.6 trillion, it would result in a projected total global fraud loss of nearly USD 4 trillion.”

Now, we’re talking about potentially substantial financial
losses. But it doesn’t stop there. In the case of the payroll diversion scenario
we described, not only is your company now out the money that was stolen, but
now you also need to pay Bob for the paychecks he never received. Furthermore, your
company may suffer reputational damage as a result with other employees and
prospective employees if word gets out about the incident. Not to mention, you
may have to deal with any legal issues and fines that may result from the

Now, imagine if this type of scenario happened on a much
larger scale, involving several — or, worse, all of your employees. Not
only would it be a logistical, financial, and reputational nightmare, but it
could potentially put you out of business if you don’t plan and prepare for
such a situation.  

Examples of Recent Payroll Diversion Scams

Earlier this year, nearly half a million dollars was diverted from the payroll of employees who work in Tallahassee, Florida. In this case, the cybercriminals who performed the attack actually hacked into the city’s direct deposit payroll system.

In Butler County, Ohio, several local government offices were repeatedly targeted by payroll scammers. Some employees’ direct deposits were changed to fraudulent accounts, and multiple duplicated checks worth more than $7,000 each were generated by the scammers as well.

The biggest case to occur recently, however, involves MyPayrollHR, a now-defunct cloud payroll provider based out of New York. The company’s CEO, Michael T. Mann, was arrested and charged with bank fraud. He reportedly admits to stealing an estimated $70 million in payroll and tax deposits from customers.

How You Can Prevent Payroll Fraud and Phishing Payroll Scams

When it comes to preventing or combatting the most common
types of payroll fraud, strict policies, meticulous audits, and diligent
management play important roles. Another thing that also has a major impact is
mandatory regular cyber awareness training for employees.  

  • Conduct Regular Assessments and Audits. These evaluations should include cyber and fraud risk assessments, and audits of financial documents and employee schedules. The first will help you to identify any potential vulnerabilities that need to be addressed. The second helps you to identify any potential anomalies that could be the result of fraud.  
  • Evaluate Your Payroll Information Update Processes and Internal Controls. How are changes to payroll currently made within your organization? Carefully review and adjust your existing processes to ensure that they are most effective. Make it mandatory that before any direct deposit is changed, that the requesting employee is contacted directly using an official communication method. Don’t respond to the requesting email or call any phone number provided in the email message. Instead, call the employee using the number listed in your organization’s internal employee directory.
  • Implement Email Security Measures. Use software, spam and phishing filters that automatically scans emails and email addresses for spam and “spoofing” emails.
  • Implement a Policy of Least Privilege. Only allow access to sensitive systems (such as payroll and personnel records) to those who need it to perform their jobs. Regularly review and update the access controls to ensure that the access information is current. 
  • Make Employee Training Mandatory. Employee needs to be held regularly to keep the information fresh in employees’ minds. It should cover security and cyber awareness training. These types of trainings help employees learn to recognize and react appropriately to phishing and spoofing emails, as well as other email and phone fraud schemes.
  • Review Documents to Stay Informed. Take the time to regularly review all financial statements for any unusual activity.
  • Segregate Financial Duties. No one person should have control over all aspects of a company’s finances. Not only is such a practice bad from a logistics standpoint — what happens if that individual is in an accident? — but it’s also bad from a risk standpoint. Think of it like the protocols and systems in place to protect U.S. nuclear weapons. There’s a reason why the keys and codes to nuclear weapons are controlled by multiple people: to provide a failsafe so that no one person has complete control over arming and launching the weapons.
  • Email Signing and Personal Authentication Certificates. Email signing certificates are a way to help your employees confirm the identity of an email sender as well as protect the integrity of the messages they send through the use of email encryption. Also known as S/MIME certificates, these email signing certificates to help employees verify whether the emails they receive are legitimate and were actually sent by their colleagues.  

As criminals become more creative, it’s up to all of us to
become more vigilant. It’s crucial to not only stay informed but to also be
prepared for the worst by having mechanisms and protocols in place to aid in
both response and recovery from such incidents — no matter how big or small.  

As always, leave any comments or questions below…

*** This is a Security Bloggers Network syndicated blog from Hashed Out by The SSL Store™ authored by Casey Crane. Read the original post at: