Privacy Tip of the Week: Theft of Payroll Data on the Rise

By: Drew M Smith

Accountants, payroll and HR professionals are the latest victims of email phishing and spoofing schemes. In these schemes, cyber thieves posing as company executives, or owners, trick accounting and payroll professionals into providing W-2 and other payroll information. In many instances they are asking for updated census lists of employees, social security or birth date information. This type of theft is not simply related to large companies. In most cases the smaller the company, the better, since often there are fewer controls. In two recent claims submitted to our office, one had 25 records stolen, while the other had over 250. Since January 2015, the FBI has reported a 270 percent increase in cyber scam representing billions in losses.

Recently, the IRS reported that due to inadequate safeguards and controls in their servers, many tax returns were inadvertently filed fraudulently and as a result millions of dollars in returns and identities were compromised. What this story didn’t tell was that the IRS isn’t the only one that has been compromised for the purposes of filing false tax returns. Many HR and accounting professionals are under attack due to their access to tax return information.

User Error Continues to Evade Internal Controls

Companies spend a lot of money on internal controls, firewalls, passwords and other security measures. However, employee error continues to evade even the most sophisticated controls. According to a recent study by BakerHostetler employee mistakes account for approximately 24% of all system compromises.1 Authorized employees continue to have the ability to accept emails, open documents, transfer files and otherwise circumvent even the best internal controls. This is more than likely caused by lack of education on the part of companies and their employees. Many just don’t know what to do when a breach occurs or what to look for to prevent a breach. Education on this topic is key to preventing millions of dollars of damage and lost returns.2

Claim Example

A cyber thief hijacks an email server or poses as an employee using a similar email address. The payroll clerk or accountant receives an email from the owner of the company requesting copies of all the W-2’s so that he can file the tax returns for the company. The payroll clerk or accounting professional sends the requested forms to the owner. Unfortunately, it was not the owner that requested this information. At this point all of the information filed in the W-2’s was compromised and given to the thief, including Social Security Numbers, home addresses, the Tax ID number of the employer and even the filing numbers of the employees. With all of the information they need, they can use those numbers to file the returns electronically in their names and use the social security and tax ID numbers for other purposes in the future.3 This can be very burdensome for the employee as it could take up to six months to get an actual refund and they might not be able to file electronically for several years to come. Further, because hackers have their social security numbers and addresses they are subject to further exposure due to identity theft.

Some Preventive Measures to Help Prevent Loss of Employee Data

Although no one is immune from a cyber-attack, companies can implement some procedures to help mitigate their exposure to loss.

  1. Education of Employees is of utmost importance. Employees must know the types of scams that are occurring and be warned of how breaches happen.
  2. Employees should never log onto a website from an email. This goes for credit card companies, utilities or other known companies. You should always go to the website directly from your secure web browser and not from an email.
  3. Never send payroll data via an email. You can set up secure servers internally or use cloud based drop boxes from one of the reputable drop box type companies.
  4. Always verbally confirm any email or request for confidential information. This is regardless if the request is to put the information in a secure drop box.
  5. Please note that banks, credit card companies, the IRS and other regulatory agencies do not ask for personally identifiable information via email. They will almost always send a letter requesting such information.
  6. Verify all vendor addresses and banking information verbally and implement procedures to make changes to any standing data vendor information.
  7. Consider a cyber security audit that will test your controls and your employees’ knowledge of these controls.

Privacy Liability Insurance

A properly structured privacy policy can help you not only with the ultimate liability associated with these breaches but can provide you resources upfront to help develop procedures to mitigate exposure. They can also provide you a breach coach in the event of a loss to guide you through the maze of regulations and requirements in the event you do have a breach. No company should be without this coverage.

For more information about email fraud visit the FBI’s website:

https://www.fbi.gov/news/stories/2015/august/business-e-mail-compromise/business-e-mail-compromise

About Axis Insurance Services LLC

Axis Insurance Services, LLC (AIS) is a licensed professional liability insurance broker located in Franklin Lakes, NJ with agents licensed nationwide. They offer access to high-quality insurance products in the areas of Errors and Omissions insurance (E&O), Directors and Officers liability insurance (D&O), Crime, Fiduciary, and Privacy/Network security coverage for today’s professional service firms. AIS works with all company types including commercial real estate firms, real estate agents and brokers, property managers, insurance agents, medical groups, practice managers, third party administrators, lawyers, accountants, architects, engineers and many others.

Axis Insurance Services, LLC is not affiliated with Axis Capital, Axis Insurance Company, its subsidiaries or affiliates in any way.


1BakerHostetler Is Your Organization Compromise Ready? 2016
2http://www.forensicmag.com/articles/2016/04/cyber-hygiene-could-prevent-next-attack
3https://www.fbi.gov/news/stories/2015/august/business-e-mail-compromise/business-e-mail-compromise

Leave a Reply

Your email address will not be published. Required fields are marked *