Payroll Fraud: How to Tell the Legitimate Companies from Scam Artists
Payroll fraud can happen to any business. Many companies opt to work with a payroll services provider to gain efficiency and expertise, but choosing the right one is paramount. Not every payroll firm has your best interests in mind.
Recent news stories highlight the risk. This April, the owner of four professional employer organizations in Michigan failed to pay more than $1.5 million in prescribed federal tax withholdings and faces up to five years in prison.
Schemes to siphon funds from your firm
Fraudulent payroll service providers employ various schemes to steal money from clients. They include:
- Ghost employees: Setting up one or more workers on the company payroll who are not actually employed there, or sometimes don't even exist. The payroll firm creates paychecks distributed to this ghost individual — which funnels company money out of proper accounts.
- Commission stratagems: Payroll is complicated in businesses that offer employees commission, which is why many such firms seek help from payroll service providers. However, illegitimate payroll businesses will try to inflate commission amounts for certain workers by falsifying sales records, invoices and other financial documents.
- Falsified hours and salary: Fraudulent payroll firms will inflate the number of hours worked by certain staff members, or exaggerate monthly take-home pay for salaried workers.
- Vendor impersonation: A scammer masquerading as a valid contractor sends an unsolicited request to update the contractor's payment information, such as new routing and account information for automated clearing-house (ACH) or wire payments, or a request to change payment via check to ACH or wire disbursement, along with routing and account information.
- Payroll impersonation: By asking workers to update or confirm their payroll information via a fake payroll platform that mimics their employer's real platform, crooks target individual employees. Ruses include claiming the employee must view a confidential email from human resources or the payroll department, examine changes to their account, or confirming that the account should not be deleted. The fraudsters steal the employee's credentials when the victim logs in from a link or attachment in the email, then change payment information in the real payroll platform.
Staying alert for such subterfuges — and any suspicious activity in your bookkeeping — is the first line of defense against payroll fraud schemes. Frequently review your payroll documents to prevent illegal activity. It's a good idea to reconcile your payroll at least quarterly with someone other than the person who runs your payroll.
Cybersecurity is a must
Today nearly every type of business is online, and payroll scams take full advantage of weaknesses in cyber defenses. No company is immune, no matter its size, although small firms are more vulnerable because they may lack the large-scale data protection and recovery systems available to bigger companies. When choosing a provider for online payroll services, it is important to select a company that has the ability to take cybersecurity seriously.
Common cyber schemes aimed at your payroll include:
- Phishing or business email compromise: Fraudsters send you, or someone else in your firm with payroll authority an email requesting money. The message resembles a service provider's invoice, but the wording, formatting or sender email address seems off. Keep in mind that your service provider is unlikely to request payment in this manner. If the victim falls for the ruse, however, hackers gain access to accounts and can extract private information, process unauthorized requests and redirect funds to anonymous accounts.
- Malware (adware, spyware, ransomware): These insidious attacks assume many guises, the worst of which is ransomware. When opened, the malicious program seizes crucial files and holds them hostage until you pay a ransom to decrypt them. Ransomware gets into a business system when unsuspecting users download materials from a compromised website; open a fraudulent email attachment; or employ an unauthorized USB stick or other external media device.
Train your staff to handle any suspicious email with great care. Hover the cursor over hyperlinks in sketchy messages — without clicking on them — to see whether they'll send you to an unfamiliar or dubious web page. Remember that your internet service provider, bank or credit card company will never ask for sensitive information like passwords or Social Security numbers.
- Social engineering and identity theft: To obtain passwords, financial information or computer access, cyber criminals will impersonate friends or trusted institutions to lure you into revealing these key data. Train your staff to avoid clicking on suspicious links. One click could infect your system with malware able to cause irreparable harm.
Make vetting payroll providers a priority
Just as you take great care in hiring new employees, your organization must take the time to properly review prospective payroll firms' qualifications and capabilities. Consider working with a partner that:
- Has a national reputation for excellence and integrity;
- Has a long history of quality service and ethical business relationships;
- Is publicly traded and adheres to the regulations of the Securities and Exchange Commission (SEC); and
- Can show a certificate of liability insurance.
Payroll providers handle sensitive documents such as company funds, analyze employee information and process tax forms. Therefore, it's vital that these companies keep data safe and deliver a high level of accuracy.
In addition, ask to see payroll providers' financial information, such as investor presentations, SEC filings and annual reports. You need to know that the payroll firm you're working with is financially secure.
These resources can help you choose a legitimate payroll services firm:
- A fraud prevention checkup from the Association of Certified Fraud Examiners;
- A payroll provider that provides protection against payroll interruptions; and
- Fraud Threats Resource Center from NACHA, the electronic payments association.
An awareness of payroll fraud prevention and knowing what to look for in a potential provider will lead you to choose a legitimate firm, ensuring that all payroll processes are honest, accurate and timely.