In 2014 payroll fraud comprised 10.2 percent of global occupational fraud cases, with organizations suffering a median loss of $50,000 per year.
Social Security numbers, addresses, wages, and bank account numbers are just some of the sensitive data you will find in a payroll department. Breaches in this data can be detrimental to your company’s reputation and financial standing; small businesses, especially, may never recover.
While you cannot stop criminals from attempting to steal your data, you can thwart their efforts by following these best practices for payroll data security.
Educate Employees on Phishing Schemes
In March 2016, the IRS announced that payroll and HR professionals should watch out for phishing email schemes falsely claiming to be from company executives and requesting personal employee information. The announcement came on the heels of a spike in phishing emails several major companies – such as Snapchat and Seagate Technology – into releasing employees’ Social Security numbers, wages and addresses to email fraudsters.
Phishing email schemes are designed to appear genuine. They will, for example, reflect the real name of the company executive they’re impersonating. To combat scammers, train your payroll and HR employees to spot a phishing email. The email may appear to have come from a company executive, but recipients should check the reply address, which in the case of a phishing email will not be a company email address. It is also a good idea to verbally verify all emails from company executives requesting sensitive employee data before responding. Use a company directory to contact the executive requesting information rather than the contact information in the suspect email.
Additionally, according to the IRS a phishing email to your payroll department may contain words such as:
- Updated list of employees
- Full details
- Kindly prepare
- Kindly send
- Earnings summary
Though the primary tax season is over, the IRS has asked HR and payroll departments to remain aware and vigilant of ongoing W-2 phishing schemes.
Separate Payroll Duties
Having more than one person handle payroll helps deter employee fraud. To lower the risk of time card falsification and paycheck theft, a larger company might delegate separate individuals to review time cards, prepare payroll, authorize payroll, and generate payments. Bigger companies tend to have more antifraud measures in place, which allow them to detect fraud sooner than their smaller counterparts. Still, smaller companies can minimize fraud by ensuring that at least two people are involved in payroll processing.
Implementing strong check payment internal controls a good defense against payroll fraud.
- Avoid printing employees’ full Social Security number on paychecks.
- Keep blank check stock and undistributed paychecks in a secure area.
- Remove terminated check signers from your authorized check-signer list and inform your bank accordingly.
- Send an electronic positive pay file to your bank daily. This file includes the valid checks you've written so the bank can help prevent fraud by refusing to cash unauthorized checks.
Strengthen Computer Security
According to Symantec Corporation, in 2015 over half a billion personal information records were lost or stolen due to data breaches. In addition, the IRS found that between 2014 and 2015 hackers infiltrated its “Get a Transcript” online application, resulting in potential unauthorized access of over 700,000 taxpayer accounts.
Clearly, employers must take strong measures to secure their computerized payroll system. But, no system is perfect. “No one, either in the public or private sector, can give an absolute guarantee that a system will never be compromised,” said IRS Commissioner John Koskinen in his testimony before the House, Science, Space and Technology Committee in April.
Still, the following processes can help tighten computer security:
- Install a firewall to block unauthorized access, establish a proxy server to control and limit Internet access, and audit network connections frequently.
- Use spam filters to detect unsolicited and unwanted email. Avoid clicking on suspicious links contained in emails or encountered online.
- Install patches and updates to keep software and operating systems clean and current.
- Back up data regularly, in case the system crashes. Develop a policy detailing what, how, when, and by whom data should be backed up.
- Establish strong, unique and long passwords containing a blend of numbers, symbols and upper and lowercase letters. Change passwords at least every 90 days and avoid using similar passwords for each platform.
- Encrypt the sensitive data stored on your computers and mobile devices to avoid unauthorized access.
- Remind employees to position their computer screen so unauthorized individuals cannot see the display and to log off the payroll system before leaving their work station.
- Develop a checkout policy that includes blocking computer access and terminating passwords for employees who leave the company.
Protect Physical Data
Payroll data compromise often happens the old-fashioned way, via lost or stolen paper documents. To safeguard physical data:
- Keep paper files along with CDs, floppy disks, USB flash drives, tapes and backups containing confidential data in a locked room. Give file room and cabinet access only to employees with a legitimate business need, such as your payroll processor, bookkeeper or managing partner.
- Instruct your payroll staff to put away documents with sensitive information and lock their file cabinets when leaving their workstations.
- Collect file room keys and identification badges from terminated employees.
- Incorporate document shredding into your company policy and explain its importance to your payroll staff. Shredding is the best way to get rid of unwanted papers containing confidential data.
Data Breach Regulations
Many states, including California, Delaware, Colorado, Minnesota and Tennessee, mandate that an employer notify employees when a breach in their personal information occurs. Starting July 1 in Tennessee, employers must also inform employees as to whether the compromised data was encrypted.
Data security offenders can strike any business at any time. Careful planning and diligence are keys to reducing the likelihood of a data breach within your organization.