Securing your pay and payroll data

29 November 2019

Everyone wants to get paid, on time and accurately and payroll professionals want to ensure the payroll they’re responsible for is done, on time and accurately.  It’s not uncommon for employees to reveal their banking information or for payroll staff to accept changes to such information from hackers seeking to take advantage.

A recent approach dubbed 'big phish' scam targets the top. Hackers target a CEO, follow her on social media and find out when she is out of the office, perhaps even send a tester email to receive a welcomed confirmation via auto reply 'I am out of the office with no access to emails', and 'won’t notice a hack until too late'. The hackers then target the payroll team advising a change of bank account details - required urgently. For fear of questioning authority, the request is not challenged and the largest net pay on the payroll is redirected. 

Third party payroll fraud use a variety of methods like these to scam their targets broadly summarised under two tactics: payroll diversion scams which aim to deceive their targets into diverting funds, and phishing scams to uncover employee information in order to sell or use in filing fraudulent claims. Succumbing to these scenarios would represent a logistical, financial, and reputational nightmare. Planning, preparing and ensuring your organisation is educated and not unwarily complicit is paramount.

The UK supermarket Morrisons is arguing in the Supreme Court that it shouldn't be held vicariously liable for the actions of their former auditor Andrew Skelton who copied nearly 100,000 people's payroll data to a USB stick and leaked the data online. Lord Pannick QC, representing Morrisions’ said: 'In relation to vicarious liability, we say the legal test is whether there is a sufficiently close connection between the wrongful conduct of the employee and what he was employed to do, assessed by ref to job function, time, when did he carry out the acts, the geography, where did he carry out the acts and motive.'

Prevention is better than a cure, or a defence - certainly in the Morrisons’ case. Consider these measures:

Plan – identify vulnerabilities that need to be addressed and anomalies that could be the result of or give rise to fraud in your organisation. Regular assessments and audits are critical as are effective and up to date software security measures.

Evaluate – employ protocols to ensure personal information cannot be edited without a multiple step process of authorisation

Identify – implement a policy of least privilege – ensure those who can access information need to and review access rights regularly. Segregate responsibility ensuring no one individual has complete control.

Train – all employees should be aware of their responsibilities regarding security and cyber awareness so they may recognise and react to threats.

Keep up to date – review systems and software to ensure they are capable of meeting security standards and identify any steps in processes that are liable to attack – emailing confidential information internally is a common risky practice.

To find out more about how you can review your payroll processes, implement safe processes, utilise secure technology or mitigate attack, please contact Simon Balaam