FBI: Email Attacks on Payroll Rising

Alex Margolin February 26, 2020

Cyber-attacks on payroll are up and they are growing in sophistication, the FBI warned in its annual report on Internet-based crime.

The report, published by the FBI’s Internet Crime Complaint Center (IC3), singled out payroll as particularly vulnerable to email-based fraud, known as Business Email Compromises (BEC). In a BEC attack, the criminal targets a legitimate email address and attempts to trick the recipient into transferring money to a fraudulent account.

“In 2019, the IC3 observed an increase in the number of BEC complaints related to the diversion of payroll funds,” the report states, noting that BEC attacks (including but not limited to payroll) accounted for $1.7 billion in losses in 2019.

“In this type of scheme, a company’s human resources or payroll department receives an email appearing to be from an employee requesting to update their direct deposit information for the current pay period. The new direct deposit information generally routes to a pre-paid card account.”

The FBI said email fraudsters used to focus on accounts belonging to CEOs and CFOs. “Over the years, the scam evolved to include compromise of personal emails, compromise of vendor emails, spoofed lawyer email accounts, requests for W-2 information, the targeting of the real estate sector, and fraudulent requests for large amounts of gift cards.”

The FBI report comes on the heels of a similar report published by the cyber-security firm OGL Computer focusing on UK SMEs. The OGL report listed HR and Recruitment as a top target area for Internet criminals, noting that hackers are attracted to the abundance of private data that is available, including bank account information.

The OGL report revealed that 81% of UK small and medium businesses experienced a data breach in the past year, and 62% of companies in the HR and Recruitment vertical experienced two data breaches. Some 38% of HR and Recruitment companies suffered 3-4 data breaches in the past year.

The Persistent Vulnerability of Manual Payroll

The FBI and OGL Computer reports confirm yet again that email is unreliable for sensitive communications. Whenever information has value, a criminal is likely to try to get it. And if there is money involved directly, it’s a virtual certainty.

Email is an ideal target for criminals because it’s easy to spoof (create a fake that is extremely similar to the real thing) and people have grown so accustomed to the format, they hardly think twice about responding, especially if they are under pressure.

When it comes to payroll, however, breaches can happen without email. The entire process of manual payroll has a built-in vulnerability. It’s called the human factor – the biggest vulnerability of all. The more human elements are involved in processing payroll data, the more risk there is for a security breach.

It’s the human factor that drives people to respond to phoney emails that look like real requests from their employees and are too busy to notice that they are being robbed.

It was the human factor that led to one of the biggest data breaches of 2019. A thief broke into a car and stole two external hard drives containing the payroll data of 29,000 Facebook employees. The hard drives were unencrypted, meaning that the thief had direct access to salaries, bonuses, and other financial data for tens of thousands of employees.

The car belonged to a member of the payroll team at Facebook who was not authorized to remove the hard drives from the office, and has since been discipled for mishandling the hard drives. But that doesn’t help the 29,000 people whose data was stolen. They remain at risk for internet identity theft and a variety of online scams that leverage the stolen information.

The New Era of Payroll Management

Processing payroll manually and sending the data by email are both remnants of an institutional order that is slowly being replaced as payroll departments modernize. The new era of international payroll management is automated and cloud-based. Data is transferred through secure internal channels that cannot be spoofed by email criminals.

Data security remains a high priority. With so much sensitive data flowing through the payroll process, it will always be a target for internet thieves. Keeping up with the latest developments is essential. Currently, that means certification with ISO/27001 and, for cloud storage, compliance with SOC 2.

But as the FBI report and recent events demonstrate, mitigating the risk of breaches also requires reducing the human factor. Automation eliminates human error in processing and reduces the mishandling of data. The less information to deliver, the easier it is to protect that information.

With cloud-based systems, it’s integrating with an SSO (single sign on) system is simple and seamless, allowing companies to minimize password exposure and control access to information to those who need it.

Another growing trend is employee self-service. An effective automated platform includes a portal for employees to report their work hours and time off, and to see their payslips and other important information. The employees log in to the portal through their own secure access, so there is no need to expose sensitive data through email.

If payroll managers need more information from the employees, they can reach them through the portal. There is no need for email in the entire process. It protects the company from the most common form of BEC attacks – precisely the type that the FBI warned against in its latest report.

Papaya Provides Secure Global Payroll Services for Enterprise

Papaya can help your company navigate the challenges of global expansion and keep your workforce data safe from cyber-criminals.

Papaya’s automated, cloud-based SaaS platform is ISO/27001 certified and SOC 2 compliant, and includes Papaya Personal, a special portal for employees, workers, and contractors. All data is encrypted and is transferred through cloud-based channels, not email.

The platform provides a total workforce solution, covering all types of employees, workers, and contractors. It streamlines all employee data into one view, and provides custom Business Intelligence reports to help companies find the information they need about their payroll spending.

The platform combines the best of automation with in-person support from a skilled CSM team, and provides payments throughout the globe in various currencies, all at the same time.

Make your global payroll simple, smart, and secure with Papaya Global.