Amid the growing list of cybersecurity concerns businesses must keep on top of, payroll is a growing target for attackers both inside and outside the enterprise.
The latest cases of payroll-related cyber incidents reveal the vulnerabilities of the financial process of compensating employees. As a Federal Communications Commission cybersecurity planning guide recently noted, payroll systems often include among the most sensitive of data including employee bank account details, company bank account details, Social Security Numbers and more.
“Not every employee needs to access all of your information,” the FCC’s guide warns. “Your marketing staff shouldn’t need or be allowed to view employee payroll data.”
Unfortunately, often internal staff — be them payroll personnel or otherwise — can access payroll information and misuse that data for personal gain.
Recent news articles outline schemes that employees with access to payroll data commit to reroute direct deposits into their own bank accounts or to sign up fake employees for automatic paychecks on a bi-weekly basis.
On top of this internal fraud, cyberattackers are also targeting payroll systems with similar intentions.
Last month, reports in local Ohio news outlet Journal News reported on the thousands of dollars in government funds diverted into a cyberattacker’s bank account after an attack on government systems’ payroll platforms. According to Butler County Auditor Roger Reynolds, a scammer obtained a county payroll direct deposit form and forged an existing county employee’s signature to request that their wages be deposited into the fraudster’s account.
“This particular fraudulent attack is new and we have quickly adjusted our controls to safeguard from it happening again,” Reynolds told the publication.
A similar case in Tallahassee, Florida saw nearly half a million dollars diverted from city payroll systems, the result of a suspected foreign cyberattack on the government’s human resources management portal. In Arlington County, Virginia, government payroll systems were targeted in a phishing attack in July despite the county allocating $60,000 to educate government employees on how to spot and avoid a phishing scam email.
Similar cases are arising in the private sector, too. Reports last month in Beckers Hospital Review noted that in Texas, healthcare system Wise Health System announced that hackers had infiltrated their systems and attempted to change direct deposit details on an estimated 100 payroll direct deposit accounts.
And in February, reports in Krebs on Security noted that payroll software provider Apex Human Capital Management had itself suffered a ransomware attack, an example of another way that cyber attackers are targeting the payroll industry. That incident cut off Apex HCM customers’ ability to access and manage payroll for several days.
Cases of payroll fraud and payroll-targeting cyberattacks continue to appear in local news outlets on a surprisingly frequent basis, but payroll service providers are increasingly growing aware of the issue.
This week, one payroll software company, Paychex, announced the launch of its cyber liability protection product, a collaboration between Paychex Insurance Agency and AXIS Insurance Company. The solution exemplifies the opportunity that payroll and human capital management solution providers must marry their products with cybersecurity tools, with Paychex’s offering addressing not only the risk of cyberattacks on payroll systems but on other systems as well.
“Cyberattacks present a growing threat to businesses of all sizes, not just large corporations,” said John Gibson, senior vice president of service at Paychex, in a statement. “Cybersecurity insurance can offer peace of mind and be particularly critical for businesses with fewer than 1,000 employees, 60 percent of which fail within six months of a cyberattack due to a lack of resources to offset the breach.”
It is unclear exactly what percentage of cyberattacks on corporate systems target and affect payroll processes and platforms. But with the anecdotal evidence piling up, it’s clear that the threat should be taken seriously — by businesses, employees and the service providers they use.