Bloomberg Tax
March 24, 2022, 5:51 PM

FBI Warns Payroll Professionals of Cyberattacks, Legal Liability

Emmanuel Elone
Emmanuel Elone

Following practical IT protocols can prevent payroll security breaches, a Federal Bureau of Investigation agent told payroll professionals on March 21.

Criminals use ransomware, malware, and phishing scams to rob businesses of employees’ personal and financial data, said Cary Scardina, a FBI special agent of the Major Cyber Crime Squad.

Payroll professionals should focus on what they can control to prevent data breaches.

“I like to focus on what we can control,” he said. “We can’t control what comes in, you can’t control a third-party breach, and you can’t control against a good nation-state actor. They are too good and use tools we haven’t discovered yet.”

Phishing scams and emails are among the threats payroll professionals can control, he said. Change passwords often and confirm suspicious emails that require sending financial or personal employee information, Scardina said.

“They’re not just tricking you into sending them money,” he said. “They’re tricking you into letting them in.”

Companies can train payroll offices to identify phishing emails by sending suspicious-looking emails and tracking how recipients respond to them, he said at the American Payroll Association’s Capital Summit in Washington, D.C.

Criminals can also gain access and control of information on payroll computers through ransomware and malware. Prevent ransomware and malware attacks by using two-factor authentication whenever offered and shutting down computers on a regular basis, he said.

“It’s a good general practice to turn off your computer sometimes,” Scardina said, noting that some types of malicious software exist only in a computer’s random-access memory and are not actually downloaded to the computer’s hard drive. Turning off the computer clears the RAM. “I would say restart or turn it off before you go to bed. Let it sit, have it off. A lot of files and malware will not come back.”

Employer Liability

Courts and state laws hold employers accountable for payroll breaches even if a third-party payroll provider was breached, said Deborah Tam, senior editor and author at Thomson Reuters.

“Do you have a payroll backup plan?” Tam asked. “It might look similar to a continuity plan in case of a disaster, whether it’s a fire or a hurricane. It might look similar, but there are certain things you need to look out for.”

Employers should plan alternative methods to accurately measure employee work hours, calculate payroll withholding, and create pay statements, Tam added.

Employers should also be aware of federal, international, and state-specific laws for data breaches, she said.

“Many states require that a third-party provider notify the data owner after the breach,” she said. “Some states have specific penalties regarding the failure to notify individuals.”

State regulations also vary as to what constitutes protected personal information that is covered under state law, she said.

“You might need to know precisely in the state that you operate what PPI actually constitutes,” she said. “You’re on the hook as employers, not the third-party provider when people are filing these suits.”

To contact the reporter on this story: Emmanuel Elone in Washington at

To contact the editor on this story: William Dunn at