Complete Payroll Solutions Logo

Phishing Emails: Protecting Your Payroll Against Cybercrime

by Anthony Frye on Mar 30, 2021 4:03:16 AM

The number of phishing attacks – those that use disguised emails to lure recipients into revealing information or clicking a malicious link – continues to grow each year. And payroll data is an increasingly common target. With the evolving risks, we know it can be challenging to understand what you need to do to protect your company and your employees.

At Complete Payroll Solutions, we have been providing payroll solutions to companies for over 18 years. We understand how sensitive employee data like Social Security numbers and bank account information is and the measures to take to keep your information safe.

To help you understand where your company may be vulnerable to attack, here we’ll discuss:

  • What is phishing
  • Who is at risk
  • Signs of an attack
  • How to lower your risk of a payroll breach

After reading this article, you’ll know what steps you need to take to protect sensitive payroll data in your organization.

What is phishing?

Phishing is a form of cybercrime in which the attacker attempts to convince a victim that they are a legitimate entity or institution. Typically, the attackers try to trick recipients into providing sensitive information such as Social Security numbers, bank account information, or credit card details as well as passwords that can be used to obtain the data they seek.

Who is at risk?

Any organization is at risk of a phishing attack and so are employees in virtually any department. However, because of the personal information it contains, including bank account numbers, Social Security numbers, addresses, phone numbers, birthdates, and other personal data, payroll is an increasingly common target.

For example, your in-house payroll staff may receive a scam email that appears to be from a manager in the company and asks for a payment to be made to an employee or asks for data from a Form W-2. Depending on the employee, the attacker could find multiple employees’ information or even gain access to employer funds and financial information, putting the entire organization at risk.

Even if you outsource your payroll, you may be understandably concerned because of high-profile incidents involving payroll companies like ADP, whose clients’ tax information was exposed. In fact, while any business is susceptible, in the first quarter of 2020, financial institutions represented 19% of those targeted and the payment sector 13%.

What are the signs of a phishing email?

Phishing emails can be very deceptive and appear as if they’re legitimate. This is especially true when the email appears to come from within your own organization, for example, one that looks as though it was sent by a member of the executive staff. However, there are some common elements among many phishing emails. According to the FTC, these include:

  • the email may look like it’s from a company you know or trust
  • it may tell a story to trick you into clicking on a link or opening an attachment
  • the message will often have a generic greeting

Other signs of phishing emails include bad grammar, spelling mistakes, or inconsistencies in links and domain names.

Since many companies have installed better security technologies to detect phishing emails, attackers have evolved their methods over time and gotten more creative so it can sometimes be hard to spot a scam. For example, during COVID-19, some cybercriminals were spreading malware by adding text from COVID-19 news stories to phishing emails to bypass security software that uses artificial intelligence and machine learning to detect it.

How can I protect against phishing emails?

Given the nature of phishing attacks, technologies such as DNS filtering and email filtering can help protect your organization. Yet, technology is reactive, meaning attackers will alter their methods to bypass protection until the technology rolls out an update to stop them – a continuous cycle.

As a result, the most impactful way to lower your risk is training. Teach employees how to spot and report suspicious emails. And use real-life examples they can relate to. For instance, a common phishing scam is for someone posing as an executive in your company to ask an employee to buy a gift card for them.

By arming employees with the knowledge they need to practice caution and avoid opening emails that contain red flags, you can proactively mitigate the threat to your organization by stopping attackers in their tracks.

Choosing a Secure Payroll Provider

If you choose to outsource your payroll to a third-party provider, you’ll want to partner with a vendor who utilizes a combination of training and technology to prevent the leak of sensitive information.

If you’re evaluating payroll companies who can provide the level of security you need, Complete Payroll Solutions could be an ideal partner for you if you want a vendor who:

  • Trains all new employees and provides documentation on how to identify phishing emails
  • Provides examples of recent phishing attempts to employees to keep them up-to-date on what to look out for
  • Limits phone call access to authorized/verified contacts only
  • Employs technology that covers both ends of potential phishing attempts, from blocking phishing emails with Mimecast before they make it to a recipient to filtering DNS to prevent a user from accessing any embedded hyperlinks
  • Undergoes an annual SOC audit with a third-party firm to ensure we meet or exceed all industry standards
  • Holds a cybersecurity insurance policy with stringent restrictions to qualify for coverage

To learn more about our payroll security protocols, visit our dedicated security page.



Enter your email address to subscribe to this blog and receive notifications of new posts by email.

HR Cast