Bloomberg Tax
Free Newsletter Sign Up
Bloomberg Tax
Free Newsletter Sign Up

Payroll Must Be Vigilant Against Data-Breach Scams, Speaker Says

June 3, 2020, 9:09 PM

Payroll practitioners should be aware of the common types of scams that target payroll operations so they can help protect employers and employees from data breaches, a data security specialist said June 2.

Scammers seek to exploit the goodwill of payroll practitioners by engaging them in situations in which they are tricked into thinking they are being helpful by providing sensitive data, but unwittingly provide the data to the scammers instead of to the intended recipients, said Kim Albarella, senior director of security advocacy at ADP. As this process of tricking unsuspecting individuals into divulging sensitive data, also known as social engineering, has taken into account that humans are on average not naturally suspicious, it is tactically appropriate for payroll practitioners to have enhanced awareness of how data-breach scammers operate so that payroll practitioners can be appropriately vigilant in safeguarding data, she said.

“If you think something is weird or suspicious, stop, think twice, and call up the CEO,” Albarella said during the American Payroll Association’s 2020 Annual Congress, which is an online conference for 2020 because of coronavirus considerations. However, “it’s getting to be very difficult for an average payroll processor to identify these scams, especially if the scammer is doing a lot of research on the victims.”

A scam involving misappropriation of payments, also simply known as a payroll scam, involves the payroll department receiving a scam email that appears to be from a manager within the organization who has authority to ask for a payment to be made to an employee, and which asks for a payment to be made to an account that unbeknownst to the payroll department is accessible by the scammer, Albarella said. The scam email might be sent from an email address that is not the manager’s actual email address but which looks like it, or, far more insidiously, the scammer might send an email from the manager’s email address without the manager’s knowledge if the scammer managed to hack into the manager’s email account, she said.

W-2 scams also typically involve a payroll practitioner receiving a scam email, but instead of the email asking for a payment to be made, the email asks for sensitive data reportable on Form W-2, and typically a large volume of such data, to be transmitted. Information acquired from this scam often is sold by the scammer on the dark web.

Phishing, in the context of scams targeting a payroll department, often involves the scammer sending an email to the department with a hyperlink to a website that appears to be a website with which department personnel regularly interact, but which in actuality is a spoof website that illicitly captures that data, Albarella said.

To guard against scammers hacking into the accounts of key personnel or otherwise gaining access to sensitive data, payroll departments should encourage the use of multifactor authentication and as a matter of regular course double check the veracity of emails they receive that ask for sensitive data to be transmitted, Albarella said.

Multifactor authentication involves configuring the method of accessing data to require entrance of not only a username and password but a separate alphanumeric code that a scammer almost certainly would not be able to acquire because the applicable code would be different for each login instance and generated by a device solely in the possession of the real, authorized user, Albarella said. Having unique codes sent to an email address would not be an effective form of multifactor authentication because if a scammer has gained access to the applicable username and password for the email account, the scammer would be able to access the unique codes as well.

Double checking the veracity of emails purportedly from an authorized individual asking a payroll practitioner to transmit payments or sensitive data is most effective when a payroll practitioner asks the individual in person, who purportedly sent the email, whether the individual in fact sent the email.

To contact the reporter on this story: Howard Perlman in Washington at

To contact the editor on this story: Michael Trimarchi in Washington at