Listen to this article:

Practical cybersecurity tips for payroll departments 

While prevention is the best medicine when it comes to cyberattacks, if your organization is targeted by criminals, you need to act fast.

Cybercrime that targets businesses, nonprofits and even governments is on the rise. In 2022, cyberattacks increased 38% globally compared to the year before, according to Check Point Research

The FBI’s Internet Crime Complaint Center (IC3) received about 800,000 complaints in 2022, a 5% decrease from 2021, but total losses grew from $6.9 billion to more than $10.2 billion. In the first half of 2022 alone, there were an estimated 236 million ransomware attacks worldwide. 

Payroll is on the front line.

In a 2022 survey by ADP, approximately six in 10 (61%) respondents reported that their payroll operation had been impacted by a cybersecurity breach at least once in the last 24 months. This perhaps explains why 44% say that data security is on their planned improvement list over the next few years.

Payroll and finance departments are particularly vulnerable to cyberattacks because criminals follow the money. Organizations must therefore recognize and avoid the most common payroll scams, and follow security best practices to avoid being compromised. Regular security training for employees can go a long way towards preventing scams and breaches. But it also helps to prepare for the worst-case scenario. 

What to watch for

Threats to global payroll departments can be external (such as hacking or phishing attempts), or internal (an employee or ex-employee diverting funds or misusing access). Here are the most common scams targeting businesses: 

  • Ransomware and malware: Malware attacks, where a malicious software or virus is used to infect an organization’s systems, are a very common and effective form of scamming. Ransomware is the most common form of malware and is one of the main ways payroll departments are targeted globally. If successful, criminals encrypt entire systems with malicious software and hold the company’s data for ransom. 
  • Business email compromise (BEC): In a BEC attack, a hacker sets up an email account impersonating an employee or manager, and uses it to email payroll employees. The hacker, posing as an employee or boss, might ask the payroll professional to change an employee’s bank details, purchase untraceable gift cards, or share payroll data with them. In a newer version of the BEC scam, a hacker may pretend to be the CEO or CFO in a video call and use “deepfake” audio tools or claim their audio or video isn’t working to convince an employee to wire money to a fraudulent account. Hackers usually create a sense of urgency to get employees to disregard security protocols. 
  • Phishing: Criminals often target people working within payroll or finance to try to get them to click on a link containing malware that will give them access to the company’s system. A whopping 83% of organizations reported experiencing phishing attacks in 2022. “Phishing cases are difficult to detect because criminal access to confidential data will be made using real and legitimate employee credentials,” says Fabio Assolini, Head of Research at Kaspersky Latin America. 
  • Employee fraud: Threats to payroll systems can also come from within, in the form of a former or current employee. Payroll fraud refers to the alteration of employee payroll records to facilitate illegal payments. It can include making payments to an unauthorized account belonging to a fictitious employee or misclassifying workers so they receive a higher wage. 

How to prevent cyberattacks

Educating and training employees to recognize attacks is critical for all businesses. Make sure all employees, but especially those with access to financial accounts, know basic precautions such as not sharing passwords and not clicking links from unknown senders. With a good amount of prevention, you can significantly reduce the possibility of your company’s systems being compromised. Specific steps include:

  • Invest in a good antivirus program. This may sound basic, but it is absolutely critical to ensure that your antivirus program is running at all times and is updated regularly to spot sophisticated evolving malware. 
  • Prioritize training. Employees can be the weakest security link; according to Verizon, 82% of data breaches involve human error. Silka Gonzalez, founder of ERMProtect, a leading global cybersecurity service provider, recommends continuous security awareness training for employees. “It has to be an ongoing process of teaching them different aspects of cybersecurity, not just a training once a year with a video or someone in front of all the employees,” she says. Periodic phishing tests can help identify which employees need additional training. 
  • Security by design: Embed security in how you develop new products and set up your IT infrastructure. Multi-factor authentication, where users must provide both a password as well as a second mode of verification, creates extra hurdles for an attacker. 
  • Control and restrict access. Regularly review which employees have access to payroll data and functions, and at which levels, making sure access is only granted to those who need it. Separating duties and access can also help prevent employee fraud. Make sure every payroll employee has a unique login and password, and delete the accounts as soon as an employee leaves the organization.
  • Keep sensitive information secure. Using a modern human resources information system (HRIS) to maintain employee records reduces the risk of payroll diversion. Employees should always use self-service portals to make changes to their banking information. If an emailed request seems suspicious, always double-check in person or on the phone before altering or sharing any data.
  • Audit third-party partners’ security. Consider cybersecurity tactics when selecting technology providers. Request risk assessments from partners to ensure they hold themselves to at least the same level of security that your organization does, and regularly conduct risk audits.
  • Use data analysis to detect improprieties. The Association of Certified Fraud Examiners found that organizations using proactive data analytics reported fraud losses that were 33% lower than organizations that don’t use data analytics for anti-fraud control. 

What to do if the worst happens

If, despite your best efforts, you find your systems compromised by a ransomware or malware attack, it is best to contact a forensic investigation firm immediately and follow their advice for isolating affected systems in order to limit the damage. A digital forensic investigator can help identify the extent of the attack, minimize the impact, and recover any stolen or lost data. 

A digital forensic investigation can be an expensive process, and success is not guaranteed, especially when it comes to ransomware. Costs include the investigation, measures taken to strengthen security, any fines or penalties from data breaches, and the cost of losing access to business-critical data. The average cost of a breach incident was $4.35 million in 2022, according to IBM. 

Payroll security is a complex process, and it can be difficult to identify, let alone plug, every single security gap. But you can prepare for the worst by taking a comprehensive, defensive approach to security, encompassing hardware, software, third-party data storage and physical data storage.

A partner you can trust

ADP is one of only a few Fortune 500 companies with a global, converged security program identifying and correcting security flaws, including:

  • Physical security for employees and facilities, including against natural disasters
  • Threat hunting and management, proactively detecting cyber threats
  • Cyber and information security, identifying security flaws and correcting them
  • Third-party management, identifying vendor and third-party security risks 
  • Fraud prevention, proactively preventing fraudulent transactions
  • Business resilience, with an integrated framework for response and recovery
Aishwarya Jagani

Based in India, Aishwarya Jagani is an independent tech journalist who has written about authoritarian tech, climate change, racism and diversity. She has written for publications including The Postscript, Bustle, The Quint, Unbias the News and Secure Futures.