Protecting Payroll Records From Cybercriminals

No matter the size or industry, most U.S. businesses are vulnerable to cyberattacks — both from inside and outside the company. Among the data targeted are employee payroll records. Just imagine the consequences if your company’s employee records were compromised: Worker’s personal information might be used to perpetrate identity theft, your company’s accounts might be hacked and emptied, and the incident could become a PR disaster.

According to cyber defense company Phishme’s Enterprise Phishing Susceptibility Report, more than 90% of cyber-attacks are launched through phishing activities. Knowing this, you may actually find it relatively easy to protect your organization’s data. The key is to learn about phishing schemes and to educate your employers on how to fend off perpetrators.

Business Email Compromise

Your IT network can be infiltrated in various ways — even by a "mole" in your office. But one of the most common methods hackers use to access payroll records is what’s called the business email compromise (BEC) scheme. With a BEC attack, a hacker sets up an email account in the name of one of your employees or managers. Then the hacker uses the account to contact another employee to ask for payroll records or to instruct the worker to click a link that downloads malware. The email looks legitimate, so the recipient is likely to respond.

To thwart BEC schemes, take the following precautions:

  • Maintain and regularly update your cybersecurity software. Most packages provide at least some phishing protection.
  • Require all employees to confirm email requests for confidential data or documents in person. They should never respond to such an email until they’ve phoned or spoken in person to the supposed sender to confirm its legitimacy.
  • Prohibit employees from downloading attachments or clicking on links contained in an email they can’t verify.
  • Require employees to obtain a manager’s approval before opening certain files.
  • Make it harder for phishers to access confidential data by using multi-factor authentication. For example, to open payroll files, require workers to use a strong password, plus verify their identities via email or text.

There are variations on the basic BEC scheme. For example, with the "imposter" method, the hacker may pose as the company’s CEO or as a trusted advisor, such as lead outside counsel. The cybercriminal might use the right terminology and even official-looking forms to request information. Intimidated by the sender’s identity, a rank-and-file employee could decide to accommodate the request without first verifying it.

Weapon or Weakest Link

When it comes to phishing, employees are either your company’s most formidable weapon or weakest link. Train new payroll employees about email fraud risks and regularly update and remind longer-tenured workers about phishing threats as they emerge. Make sure they understand that it’s better to be cautious and take the time needed to verify an email than to act recklessly simply to get work done quickly.

Formalizing cybersecurity procedures can help guide employees. To create a formal plan for handling confidential information and require every employee to acknowledge it. If employees fail to follow procedures, be sure to discipline them — even if no data is lost. Following through on such matters communicates how seriously you take cybersecurity risks, particularly when it comes to information housed in your accounting department.

Plan For the Best, Prepare for the Worst

Although not specific to protecting payroll data, several best practices can help fortify your company’s entire IT system. For example:

  • Store backup servers offsite,
  • Block or limit access to nonbusiness websites such as social media platforms,
  • Facilitate strong password protection through software programs and mandate regular password changes,
  • Perform periodic browser history audits on internal communications, and
  • Encourage business associates outside your organization to contact you if they receive suspicious emails purportedly coming from you.  

But even if you take every precaution, there remains a risk that your company’s payroll or other business records will be hacked. Make a fraud contingency plan so you’ll know what to do if cybercriminals breach your defenses. The plan should specify what needs to be done in the immediate aftermath and who should do it. For example, an owner or CEO might be responsible for working with the IT manager to secure the network. A public relations manager might disseminate information about the incident to internal and external stakeholders. Legal counsel might be needed to meet with law enforcement.

Although it’s probably not the first action you need to take after an attack, be sure to report hacks to the FBI Crime Complaint Center at And if, following a phishing incident, you suspect payroll information might have been stolen and used to perpetrate tax identity theft, notify the IRS at

Big Prizes Entice

Businesses offer cybercriminals bigger prizes — large cash and data reserves — than most individuals. Therefore, hackers are likely to continue targeting companies with phishing scams. Fortunately, you’re not a sitting duck. Prioritize cybersecurity and train employees to fight potential invaders and you’ll reduce this very real risk.