How Phishing Attacks Work on Payroll Systems

Posted Jul 18, 2024

As a small business owner, it’s important to protect your payroll system from unauthorized access. Otherwise, cybercriminals can manipulate your payroll system to steal money from your organization. For more on phishing attacks and how to prevent them, read on. 

What Is a Phishing Attack? 

At its heart, a phishing attack is a technique where an attacker fraudulently tricks someone into giving up important information. Below are examples of phishing attacks. 

  • The attacker gets W2 forms so that they can file tax returns and receive refunds in the victim’s name. 
  • Cybercriminals may try to gain control of a worker’s email address to send fraudulent messages requesting a 1099 payment to the payroll provider. 
  • They may try to impersonate the CEO or another executive in order to request a wire transfer or direct deposit.
  • Attackers may send an email to the finance or payroll department that appears to be from an actual employee. In the email, they request an update to the direct deposit information so that they receive the employee’s paycheck. 

According to Verizon’s 2024 Data Breach Investigations Report, 68% of attacks involve a non-malicious human element. For instance, a worker may click on an attachment that has malicious software or a link that leads to a fake login page. 

Phishing attacks are one of the most common ways attackers gain access to your company’s data. In a recent Mission to Grow podcast on, “Top 5 Things Businesses Need to Know About Payroll Security,” Josh Gohman, VP of information security at Asure, discussed how phishing attacks work on payroll systems.

“People think attackers are on these blank screens typing and trying to break passwords or crack codes to get in. The most common attack avenue is really that they’re going to ask you for the key and you’re going to give it to them,” Gohman said. 

How Cybercriminals Use Phishing to Target Your Payroll System

The major way cybercriminals use phishing to target your payroll system is through your emails. For example, they may impersonate a CFE or CEO to request a 1099 payment. 

Because Microsoft 365 has very similar login pages, attackers often create fake versions of these pages. Then, they’ll send you a fake email saying that your password has to be updated. Once you use the link to update your password, the attacker is able to get your password and access your email to carry out their fraud.

Alternatively, the attacker may try to guess an email address by finding employees at your company on LinkedIn. Then, they may send out emails to different permutations of the employee’s name and email address. For instance, they may try out firstname_lastname@company.com or firstinitial.lastname@company.com. They may use a link to get your password. Additionally, they may try using easy passwords, like password123, to immediately access your account. 

Sometimes, hackers skip accessing email accounts altogether. Instead, they may create an email address that seems similar to the address used by an executive at your company. Then, they may try sending emails to someone in payroll or HR to get 1099 or payroll accounts updated. 

Reroute Paychecks 

All of these phishing attacks are the start of a larger scam. Typically, these scams focus on getting access to paychecks or 1099s. 

To access payroll funds, the attacker may try to email the payroll provider with an email address that looks like someone from your payroll department. They’ll normally wait until the last minute to request a change to deposit information because a sense of urgency can override the victim’s logic and common sense. 

When an attacker tries to access payroll funds, they will generally do it in one of two ways. First, they may try to get a new, fake employee account set up for payroll. The second method is to get existing employee information changed so that the paycheck is rerouted. This may be done by requesting changes via email or by gaining an employee’s account access to change their payroll data directly. 

Set Up False 1099s 

While payroll is a frequent target of cyberattacks, false 1099s are even more common. 1099s don’t require nearly as much information to be processed. With payroll, the hacker would need Social Security numbers, deposit accounts, names, addresses, and other information.

A 1099 doesn’t require a lot of information. Typically, the cybercriminal sends an urgent request for a 1099. They may say the contractor won’t start a pressing project until the 1099 is paid. 

This sense of urgency can often get employees to circumvent company procedures because they feel like they have to solve the problem right away. 


Ways to Prevent Phishing Scams 

Fortunately, there are a few easy things you can do to prevent a phishing scam from harming your organization. From implementing multi-factor authentication to ensuring third parties have strong security measures, the following techniques can help you protect your business from payroll and 1099 scams. 

Use Multi-Factor Authentication 

Multi-factor authentication is one of the easiest, most important things you can do to prevent payroll fraud and cyberattacks. With multi-factor authentication, employees have to go through multiple steps to access your system. Other than providing a password, they may need to use an authenticator app or get a code on their phone to sign in. 

This means any attacker would need to gain access to at least two different security measures to get into your company’s emails and important documents. Because of this, multi-factor authentication is significantly harder to exploit.

Train Workers 

Your employees aren’t just your frontline defense against cybercriminals. They are also your biggest vulnerability. Cybercriminals will search for employee names on your company website and LinkedIn. Then, they use this information to create phishing emails. 

To prevent cyberattacks, you must train your workers about important security measures. Additionally, teach them about the most common attacks and what to expect. 

Test Employees With Pretend Phishing Emails 

As a part of training your workers, you should also send out fake phishing emails. If employees fall for your fake phishing emails, it indicates that they need a little more training in cybersecurity. It also helps to keep workers alert for cyberattacks and provides realistic simulations of what to expect. 

Ask Your Payroll Provider About Exception Policies 

1099 and payroll scams always involve a sense of urgency. Because of this, it’s important to ask your payroll provider about situations where exceptions are made. For example, are there scenarios where they will process a payroll account for a last-minute check versus waiting several days to verify everything? If your CFO is sick, how do they get phone approval for urgent matters? 

Additionally, ask your payroll provider about their security measures. Your payroll security is only as good as the third-party companies you work with.

Set Up Checks and Balances 

If someone impersonates your CFO to email the payroll provider, you need to have checks and balances in place for confirming email requests. Additionally, you need to think about the checks and balances involved in processing payroll because timesheet fraud and worker misclassifications can occur because of internal fraud. 

Prevent Phishing Scams From Costing Your Business Money 

Even small phishing scams can cause thousands of dollars in losses. As a result, it is incredibly important to implement security measures that can prevent phishing scams from impacting your bottom line. Employee training and multi-factor authentication are just a few of the things you can do to protect your payroll system. 

If you’re interested in learning more about payroll security, we can help. Reach out to our team of small business HR and payroll experts today to learn more.

Unlock your growth potential

Talk with one of experts to explore how Asure can help you reduce administrative burdens and focus on growth.

Get Connected