Payroll diversion. How to stay safe from a growing HR scam

COVID-19 has resulted in higher numbers of people working from home than ever before. It falls to HR to remind staff of their company’s remote work policies, to check their workforce has the necessary equipment to work comfortably, and to make sure all employee contact details are up to date… There’s just so much to do: all urgent, all crucial.

During this busy time, imagine as an HR manager receiving an email from one of your employees to say that they’ve switched banks, and can you please update their bank details. You know that payday is coming up, so you need to get this sorted out immediately. You telephone your employee to confirm the request in the email, only to find out that they never made the request. You report the fake email to the IT department and get on with your day. Except it doesn’t always go this way….

According to data security specialists, Agari, phishing attacks focused on payroll diversion are on the increase. And, in the current tumultuous period, we’re likely to see a rise in cybercriminals targeting over-stretched HR departments to steal money or sensitive information.

What is phishing and how can you avoid it?

Phishing involves tricking someone into clicking on a malicious link, or responding to a seemingly legitimate request, in an email – usually in order to obtain financial or personal information. It’s increasingly popular with cybercriminals, as it’s far easier to trick someone into giving away sensitive information by email, than trying to break through the multiple security layers that surround most modern technology systems.

These emails can appear to come from an employee, or a trusted organisation, such as your payroll provider. Or, you may receive an email that looks as if it comes from someone senior in your organisation, with an urgent request for information.

Here are five ways to help you and your HR team avoid being caught out:

1. Be aware

Make sure that any staff handling sensitive information understand both the risks and their responsibilities. Under the GDPR, data breaches, even if unintentional, can result in significant fines, not to mention risking your reputation.

If you don’t have data security training in place, start it now, and make sure that it’s refreshed on a regular basis. GOV.UK lists some useful free online training courses to help businesses protect themselves against cyber threats and online fraud – check them out here.

2. Never take emails at face value

If you get an email asking for any employee-related information, always check that it’s valid. Make sure you check the email address it’s coming from – some cybercriminals can still be careless in camouflaging their emails.

But we know phishing emails can be very sophisticated, too, with many ‘spoofing’ real email addresses and writing style, with logos and sign-off imitated to the very last detail. In this case, there is never any harm in contacting the sender – using an independently-validated telephone number or email address. Don’t click reply to the phishing emails despite the urge to.

5 tips against BEC image

3. Report it

If you think you’ve been phished, let your IT team know. They can check to see whether the email is genuine and, if not, block the domain that the email came from, as well as keep an eye out for any other suspicious activity. Warn the management team, other colleagues in HR or finance and, if relevant, external providers such as your payroll service, so they can be on the lookout, too.

If the scam looks as if it’s coming from one of your partners or a major institution, report it to them. Most have sections on their website with advice about what to do.

4. Share and store safely

If you do need to share sensitive information, make sure it’s protected at every point of its journey. Spreadsheets are notoriously easy to hack, even when password-protected, so don’t email spreadsheets (or any other documents) containing sensitive information. Use an end-to-end encryption service, and don’t store HR data on unencrypted laptops or other devices that could get lost or stolen.

cyber security lock image

5. Use secure HR systems

Sharing data via a secure HR system like Cezanne HR, avoids the need to send sensitive information by email. Cezanne HR’s role-based security allows you to decide who can view and/or edit different types of information (such as contact information, bank details or salaries ), and data in transit is protected by encryption and other security measures.

If self-service is enabled for your employees, you can send a separate email to let them know they can update details directly in the system. In addition, ‘restricted’ security roles can be defined for third parties – such as payroll providers – so they can access the relevant data directly from the system. Not only do you avoid the risk of sharing information by email, but the data will be up to date, too.

Read more about how Cezanne HR helps you keep your HR data safe here.

Sign up to our Newsletter

Subscribe Now