Payroll fraud is real, and it happens more than you might think. Have you ever received a text or email asking you to click a link and you just knew that it wasn’t legit? It seems like every day I get hit with multiple requests from people claiming to have something for me — or that I need to update my info for delivery, or maybe even that one of my “coworkers” is asking me to update their direct deposit info. There is always someone out there trying to get something that doesn’t belong to them, which is even more true regarding your payroll systems.
Consider all the information available within a company’s payroll system: company bank account details, employee demographic information, social security numbers, employee bank details…All of the stuff the bad guys want can be found within payroll records. According to the Association of Certified Fraud Examiners, payroll fraud is one of the most common types of schemes that cost organizations billions of dollars each year and occurs in 16% of all businesses within the US. Payroll fraud happens when an unauthorized person uses a payroll system to embezzle funds from a company or an employee. Because of this, security should be a huge concern. Let’s take a look at some common types of fraud, so you know what to be on the lookout for.
3 Common Types of Payroll Fraud
A ghost employee is an employee record within your payroll system that isn’t a real person within your organization. Typically, this “ghost” is set up by a person within the company that has security permissions to add new employees. They do this to collect the ghost employee’s net pay via direct deposit for themselves. For example, if I am the payroll administrator for my company and I add my uncle as an employee but set him up using my bank account for direct deposit, I can now pay my uncle’s wages and receive those funds even though my uncle doesn’t actually work for the company.
“Hey Mike, I need to update my bank account. Can I send you my new account and routing number?” Unfortunately, this is an email I receive daily, and it is never from the person it claims to be. If I were to fall victim to this payroll fraud scam, it would involve me updating one of my employee’s direct deposit records to an account that is owned by the bad actor. Usually, I wouldn’t even know it was a fraudulent attempt until I get a call from the real employee on payday telling me they didn’t receive their check, at which point the bad guy has already removed the funds from the account, and there isn’t any way to get them back.
Timekeeping or Dollars Manipulation
This is another attempt to steal money that typically comes from within your organization. Whether it is lying about overtime hours, punching for my friend who isn’t yet at work, or padding my commission, there are countless ways to manipulate the hours worked (or not worked?) or dollars to be paid in a way that causes a paycheck to be more than what it should be. These are the most typical ways we see people try to commit payroll fraud.
Ways to Combat Payroll Fraud
Understand the Security Rights and Roles within your User’s Access
Many systems are designed in a way that understands and safeguards against payroll fraud, but it is often up to the users to implement these systems appropriately for their organizations. One of the best ways to do this is to thoroughly understand what each role has access to and what type of access has been granted. For example, I want my employees to be able to record punches on their timecards, but I don’t want them to be able to edit their timecards or add dollars to their timecards. I want my accounting team to have access to pull payroll reports, but they may not need access to edit employee bank details. Payroll systems can be complex and having a thorough understanding of what every user has access to can prevent unauthorized changes and reduce the ability for information to be shared inappropriately.
Validate Sensitive Employee Data Changes
There are too many phishing scams that target payroll that we’ve made an internal rule that we will not make employee changes based on email requests. Yes, this does cause an inconvenience at times, but the security of our teams’ information is too important to take the risk. When those email requests come through, it isn’t difficult to pick up the phone and call to confirm that it is valid. This one step has the potential to save thousands of dollars of lost wages sent to the bad guys.
Implement Great Accounting Practices
One of the first things you will learn in an accounting course is the proper segmentation of duties. For example, the person creating and approving the bills shouldn’t also be the person reconciling the bank account. In payroll, it is important to include a couple of roles within your organization in key parts so that no one person has complete control of the entire lifespan of those transactions. Depending on the size and complexity of an organization, it may be appropriate to have a manager review timecards, a payroll administrator to prepare payroll, while a separate person is responsible for approving payroll. This type of separation allows for checks and balances, reducing the opportunity for fraud while increasing the chance of catching unintentional errors. For smaller companies, reviewing a schedule or footing the hours and dollars paid after payroll is processed can also accomplish some of these safeguards.
At Whirks, we take the security of our customers very seriously and guide them to do the same. With our personable trainings and state of the art software, we strive to give you the peace of mind that your info will be safe with us every time. Want to see what that technology looks like?
Click here to access a demo of our software.