Best Practices to Prevent Common Payroll Employment Scams

Failure to mitigate common forms of fraud can lead to costly incidents for employers, negatively affecting company trust and culture, an industry expert said July 10.

Employers who fail to mitigate payroll fraud can risk suffering monetary loss, the most visible risk due to fraud, said Susan Judah, Senior Functional Consultant at Workday. Large-scale hacks can also risk harm to company culture, creating a sense of distrust amongst employees and distrust in the company, she said. In recent years, fraud and other security risks have led to social media backlash, which can have a lasting effect on employers.

Payroll departments are often targets of hackers seeking to extract company pay data through phishing attacks. Phishing is a form of cyberattack that exploits employees by appearing to resemble a reputable source. Spear phishing is a more highly targeted form of phishing designed to deceive specific employees within an organization, often masquerading as another employee within the same organization.

A commonly used payroll spear phishing attack appears as an email request from an employee seeking to change their payroll information, even though most companies rely on self-service software for such requests. “Always review emails for spelling errors to ensure the sender is using a valid address,” she warned.

“Employee education is a crucial component in limiting an employer’s exposure to fraud,” said Judah, speaking during PayrollOrg’s 2024 Virtual Congress.

An essential tool to help mitigate the risk of phishing induced fraud is the implementation of a clearly defined code of ethics handbook. The handbook should include clear guidelines for the employment and supervision of family members, details on gifts to personnel with amount limits, and clear definitions of what the company considers a conflict of interest, said Judah.

Employees should read and sign the employers code of conduct, in addition to confidentiality agreements, corporate property use agreements, and technology use agreements, all clearly outlining best practices to avoid common forms of fraud.

In addition to education, employers should restrict access to sensitive data. “Who has access to sensitive data,” asked Judah. Access can include physical access, such as access to sensitive paper data, or access to internal software controls. “Who manages pay changes, and are you able to quarantine harmful information once discovered? These are all important questions you must think about,” Judah stressed.

The use of encryption software is paramount for any internal and external file sharing to ensure email attachments remain confidential, said Judah. Defined email filters can help employers block out frequent offenders who might be attempting to defraud the organization. “Filters can be trained to flag these frequent offenders,” she said. A system should also be in place to flag phishing emails. Once flagged, organization should immediately quarantine the email to avoid it reaching other employees.

Regarding best practices, Judah recommends employers use password protection software, such as multifactor authentication, is critical to ensure authorized access to sensitive data. “If you already use [password protection] software, ensure it’s up to date with the most recent version as hackers can learn how to bypass the current settings in the system,” she said. Employers are encouraged to follow the software provider’s recommended update schedule to get the most up to date protection.

Finally, a key strategy to mitigating fraud is the segregation of duties, said Judah. Determine which employee oversees the segregated duties and consider implementing job rotation, another essential tool in educating employees, while also maintaining a check and balance on what is happening at every level of the organization.