No matter the size or industry, most U.S. businesses find themselves vulnerable to cyberattacks — both from inside and outside the company. Among other data, cyber criminals target employee payroll records. Just imagine the consequences if your company’s employee records become compromised. Cyber criminals could use a worker’s personal information to perpetrate identity theft, hack and empty your company’s accounts, and create a public relations disaster.

According to cyber defense company Phishme’s Enterprise “Phishing Susceptibility Report,” more than 90% of cyberattacks launch through phishing activities. Knowing this, you may actually find it relatively easy to protect your organization’s data. Begin your defense by learning about phishing schemes and educating your employees on how to fend off perpetrators.

Business Email Compromise

Hackers can infiltrate your IT network in various ways — even by a “mole” in your office. But one of the most common methods used to access payroll records is what’s called the business email compromise (BEC) scheme. With a BEC attack, a hacker sets up an email account in the name of one of your employees or managers. Then the hacker uses the account to contact another employee to ask for payroll records or to instruct the worker to click a link that downloads malware. The email looks legitimate, so the recipient feels comfortable responding.

To thwart BEC schemes, take the following precautions:

• Maintain and regularly update your cybersecurity software. Most packages provide at least some phishing protection.
• Require all employees to confirm email requests for confidential data or documents in person. They should never respond to such an email until they have phoned or spoken in person to the supposed sender to confirm its legitimacy.
• Prohibit employees from downloading attachments or clicking on links contained in an email they can’t verify.
• Require employees to obtain a manager’s approval before opening certain files.
• Make it harder for phishers to access confidential data by using multi-factor authentication. For example, to open payroll files, require workers to use a strong password, plus verify their identities via email or text.

Variations on the basic BEC scheme exist. For example, with the “imposter” method, the hacker may pose as the company’s CEO or as a trusted advisor, such as lead outside counsel. The cybercriminal might use the right terminology and even official-looking forms to request information. Intimidated by the sender’s identity, a rank-and-file employee could decide to accommodate the request without first verifying it.

Weapon or Weakest Link

When it comes to phishing, employees can either function as your company’s most formidable weapons or weakest links. Train new payroll employees about email fraud risks and regularly update and remind longer-tenured workers about phishing threats as they emerge. Make sure they understand that it is better to be cautious and take the time needed to verify an email than to act recklessly simply to get work done quickly.

Formalizing cybersecurity procedures can help guide employees. So create a formal plan for handling confidential information and require every employee to acknowledge it. If employees fail to follow procedures, make sure to discipline them — even if no data loss occurs. Following through on such matters communicates how seriously you take cybersecurity risks, particularly when it comes to information housed in your accounting department.

Plan for the Best, Prepare for the Worst

Although not specific to protecting payroll data, several best practices can help fortify your company’s entire IT system. For example:

• Store backup servers offsite,
• Block or limit access to nonbusiness websites such as social media platforms,
• Facilitate strong password protection through software programs and mandate regular password changes,
• Perform periodic browser history audits on internal communications, and
• Encourage business associates outside your organization to contact you if they receive suspicious emails purportedly coming from you.

But even if you take every precaution, there remains a risk that your company’s payroll or other business records will be hacked. Make a fraud contingency plan so you’ll know what to do if cybercriminals breach your defenses. The plan should specify what needs to be done in the immediate aftermath and who should do it.

For example, an owner or CEO might be responsible for working with the IT manager to secure the network. A public relations manager might disseminate information about the incident to internal and external stakeholders. Legal counsel might be needed to meet with law enforcement.

Also, make sure to report hacks to the FBI Crime Complaint Center at If you suspect payroll information might have been stolen and used to perpetrate tax identity theft, notify the IRS here.

Next Steps

Businesses offer cybercriminals bigger prizes — large cash and data reserves — than most individuals. Therefore, hackers are likely to continue targeting companies with phishing scams. You should prioritize cybersecurity and train employees to fight potential invaders to reduce this very real risk.

Use our free Mindshop diagnostic tool to asses your organization’s current cybersecurity and learn where you can improve.


Contact Us

© Copyright 2021 Thomson Reuters. 

Disclaimer of Liability
Our firm provides the information in this e-newsletter for general guidance only, and does not constitute the provision of legal advice, tax advice, accounting services, investment advice or professional consulting of any kind. The information provided herein should not be used as a substitute for consultation with professional tax, accounting, legal or other competent advisors. Before making any decision or taking any action, you should consult a professional advisor who has been provided with all pertinent facts relevant to your particular situation. Tax articles in this e-newsletter are not intended to be used, and cannot be used by any taxpayer, for the purpose of avoiding accuracy-related penalties that may be imposed on the taxpayer. The information is provided “as is,” with no assurance or guarantee of completeness, accuracy or timeliness of the information, and without warranty of any kind, express or implied, including but not limited to warranties of performance, merchantability and fitness for a particular purpose.




Nonprofit Insights


Valuation Report