Phishing Emails and Protecting Your Payroll

protecting your payroll from phishing emails, envelope, lock

Cybersecurity is a growing concern among businesses of all sizes, especially when even large companies like Equifax and Target are hit by data breaches. And with the sensitive data it contains, payroll is an increasingly common target of cyber criminals who use sophisticated phishing emails, texts, and other communication to attack.

For employers, defending against phishing is critical. Here, Tony Frye, Complete Payroll Solutions’ IT Director, answers common questions about ensuring the security of workers’ personal information.

Can you describe phishing and how it can impact payroll information?

Phishing is one of the most common and largest threats to secure data. With phishing, cyber criminals attempt to access sensitive data, usually through fake emails that contain requests or questions. Phishing emails can be very deceptive and appear legitimate – even as if they’re coming from within your own organization.

What payroll data is at risk?

Payroll data that can be impacted includes employees’ bank account information, social security numbers, addresses, phone numbers, and other personal data. Depending on the access of the user impacted by phishing, attackers could find multiple employees’ information. In addition, cyber criminals could gain access to employer funds and financial information, putting the entire organization at risk.

How common are phishing threats?

The number of phishing threats has steadily increased over the years. In its latest annual cybersecurity report, Cisco revealed:

  • 66% of malware is installed via malicious email attachments
  • 64% of organizations have experienced a phishing attack in the past year
  • 90% of incidences and breaches included a phishing element

How does CPS monitor and protect against breaches to client information?

Our security measures set our organization apart. In addition to employing all of the security approaches described here, we also have secure local access in our physical locations, allowing only compliance-trained veterans of the industry to access our code-locked operations areas. We also monitor internal communications for suspicious activity. And digital access is managed employee-by-employee, rather than allowing loose, blanket permissions.

What do clients need to do internally to strengthen their defenses?

The biggest thing you can do is train your employees. Most attacks attempt to come in right through the front door so educate staff to identify the red flags of suspicious emails, such as generic greetings, a sense of urgency, and requests for personal information that contain links. It’s also wise to employ automatically-generated notices that alert employees when an email originates outside of the organization to put them on notice. And instruct workers on the use of strong and unique passwords. For more business-specific guidance on protecting your data, consider working with a cybersecurity firm.

Learn more about the phishing techniques used by cyber criminals by downloading our phishing guide.


Enter your email address to subscribe to this blog and receive notifications of new posts by email.

HR Cast