VANNOY:

<Silence> Hello everyone. Welcome. Today’s to for joining today’s webinar. Apologize. we’re about five minutes, minutes late starting here. We gave a start and I got a message from a colleague that that there, there was an audio joined. So we’ve, we’ve restarted here. So really important discussion today on payroll fraud and, and specifically what it is that small and midsize companies need to know. So, if you, if you think about you know, who is most vulnerable for payroll fraud? You know that there’s been more big national news stories in this last 18 months than there were in the prior maybe, maybe five, maybe it’s even 10 years. So, you know, there have been banks that have gone out of business. There’s been ach h transaction processing companies have gone out of business. There have been payroll vendors have gone out of business.

 And certainly there have been many, many, many small mid-sized companies that, that, that have, that have just suffered terribly at, at, at the hands of these criminals. And so, if you think about the big companies, they’ve got the technology, they’ve got the resources, they’ve got the money to put up the safeguards, and they kind of know what the rest of the world, maybe dozen to round security. But those who are most vulnerable are the small business owners, right? We’re worried about growing our businesses, growing our companies, finding talent, developing that talent, getting everybody behind our vision, rolling up our sleeves, and getting after the main goal. And we think about payroll. We think about paying people on time and accurately, and getting the taxes done right? But we don’t think about how, how, you know, a single transaction that could put literally put me outta business tomorrow.

So hugely important topic to, to, to, to dive into. Really thrilled about today’s guest who’s joining me today. Josh Gohman. So, his, his title is Director of Information Security at Asure, but he, but he is really so much more. Josh is absolutely a cybersecurity expert. He’s got his master’s degree in cybersecurity. He is a C I S S P CER certified. It’s a certified information systems security professional. He has a board seat with the Academy of IT at his local high school, and he volunteers with Local Boy Scouts. So, not only, not only is he super smart and and a cybersecurity expert, but he’s a pretty, pretty darn good human being. So, welcome today, Josh.

GOHMAN:

Yeah, thank you, Mike. Glad to be here.

VANNOY:

All right. So the, there’s three things, three areas that I wanna explore in today’s conversation. You know, there, there are lots of, lots of different types of payroll fraud, lots of different ways. The, the criminals, the bad guys scam money. And, and you know, it, like I said, it’s there, there have been banks gone out of business. There’s transaction processors gone out of business. There’s payroll companies gone out of business as a result. But the, the most common type of fraud that exists really leaves small business owners vulnerable. And so rather than going, we, we could spend days on this topic trying to hit every single one. I, I first wanna hit the most common one, which is, which is payroll diversion, right? So I want to talk about that. But then at least in the context of small, mid-sized companies, what, what, what are the technology vulnerabilities that, that, that small and new size companies have? But I think maybe more importantly, that is probably the, oh, undervalued is the human vulnerabilities, right? Which, which I think we’re gonna talk a whole heck of a lot about here in our first example. So with that, let’s go ahead and dive into these three topics. And before, before talking about all the nuance you know, we live this every day, Josh, so we know what payroll diversion is. Let’s, let’s just start out with a definition. Once you, why don’t you educate everybody on what payroll diversion is?

GOHMAN:

Yeah, absolutely, Mike. Yeah. So, payroll diversion is, is really just that it’s fraudsters have figured out that it’s very easy to, to, to monetize fraud, right? So they could try to sell records that they’ve, that they’ve broken into and stole from a big company. But it’s really easier to just manipulate the payroll system to divert the funds from their destination, which would be an employee account to their account. So they change the ach the banking routing numbers before the payroll is processed. And then on payday, their account gets paid instead of all of the employees.

VANNOY:

So the, it just, it sounds so ridiculously simple. Yeah, I think when we, when we think fraud, we think, oh, somebody is, ca came in through some the dark web and they’ve packed our system. They’ve stolen social security numbers. They, they, they’ve rated our bank account. It, it really is nothing that complex, is it?

GOHMAN:

No. No, really, it’s not. It’s, yeah, we always do like to think of, you know, the movies, we see the hackers and their, they’re manipulating systems, and it’s very technical. But really as you kind of alluded to in your introduction, it’s the human aspect that fraudsters have realized that they can manipulate the humans that are involved in the processes to gain access. So what, what does that look like? You know, it might be, and oftentimes is we’ve seen this very much over the last, you know, 18 months or so, or even more really is that phishing is used to gain the credentials from a payroll administrator or even a an employee at the payroll service bureau in order to get access to the payroll system. And then once the, the the fraudster has access, and I should mention that because technology today, we want it to be everywhere.

So we want it to be available on the web, on our mobile device. It’s no longer the server sitting in the closet, my terminal here on my desk, and it connects there because that access, we want it all the time, and we really need it because, you know, again, we’re trying to grow business and you’re really trying to focus on something else. The fraudsters then can be able to get in from anywhere, log in, they can watch the payroll, they can figure out when the payroll runs are, and then they can change using the same access that you have change the, the bank account information right before payroll.

VANNOY:

All right, so, so this is kind of scary, right? So I, I think most everybody knows, but make sure we’re on the same page of phishing. We’re not F I S H I N G, we’re pH phishing. So let, let, let’s, let’s just break it down into this, into the, into the steps. Okay. It, because cuz this is, this is a vendor agnostic issue, right? It doesn’t matter whether you’re, you know, nobody, nobody does things purely paper and pencil anymore. You know, at minimum you’re using, you know, maybe QuickBooks or something, a small personal accounting system, or it’s your accountant or you, you use a vendor like as Azure or some other software. Yeah. But, but, you know, let’s start at the upstream with the most common way this begins through, through phishing. Maybe gives us some examples of what a phishing scam looks like specific to bank payroll. Oh,

GOHMAN:

Yeah, yeah. No, absolutely. And so, yeah, phishing is, you know, sometimes people refer to it as spam, but phishing is really a very specific type of that. And it’s an email that’s targeted at a user, right? Or a group of users in order to trick them into doing something. So it may be an email that looks like it’s from your bank or from a payroll provider or your CPA or, you know, any other trusted, you know, third party that says there’s something wrong with your account, or we need to verify your information. Or you know, God forbid, click here, you won $10,000. I mean, it, it’s, the idea is, is that it’s trying to, the email is, is written in a way to make you believe that it’s from a legitimate source and then trick you into doing something. And then,

VANNOY:

Hey, judge, let Josh, let’s get, let’s get specific on that because Yeah. You know, we’re not talking early days. Congratulations, you just won a million dollars from Nairobi Prince. Right? Right. I mean, these, these are sophisticated <laugh> scams. I mean, this, this looks very real. So kind talk, talk through, you know, how real these things can look.

GOHMAN:

Yeah. I, the, the, the, the, when you click that link in that email and it takes you to that landing page, it’s going to look exactly like your standard Chase login page, bank of America net. I mean, really any office 365 a lot of customers use, a lot of people use Microsoft products. The it, they’re going to build a page that looks exactly like the legitimate login page with the intent of bringing you to that page and having you put in your username and password.

VANNOY:

And so, you know, like everybody knows what a Netflix login looks like. We’re, we’re probably more vulnerable here because we assume the bad guy, you know, which is probably somewhere else on the globe, you know, cloaked through a bunch of IP addresses that rerun to each other, right? So we don’t even physically know where these people are. But, you know, even going further upstream, these guys become legitimate customers of these payroll providers to even learn what the systems look like in the first place, right?

GOHMAN:

Yeah, absolutely. I mean, they’re, they’re definitely, you know, looking at all open source information. So they’re, they’re looking at information on payroll providers you know, from open source Google searches, LinkedIn, you know, all the different kind of publicly available information gatherings. So they’re learning what those sites what those sites are. And then they’re driving in to see, okay, what does a, you know a sure page look like? What does an ADP page look like? What does a Paychex page look like? What does a Chase bank, I mean, all of them, they’re looking at all these different things. And I should mention that oftentimes because users reuse passwords across accounts, they don’t even have to be the, the, the particular phish doesn’t even specifically have to be your payroll provider. It could be your bank account because, and you may share the password across those two accounts, and that’s just as good as if they spoofed the payroll page,

VANNOY:

Right? Right. So,

GOHMAN:

Vulnerability number one, don’t use passwords across more than one site.

VANNOY:

So, so let’s get, let, so we, we know they’re sophisticated, you know, what would be some really specific examples of what this email would look like? And then why should we be concerned? What, what, what, what are the things that should be tipping people off about that email?

GOHMAN:

Yeah, absolutely. So, I mean, the first thing is, and I kind of go back to my previous point about they’re trying to manipulate weaknesses in the humor, right? We all want to have to provide the best customer service. We want to provide, you know, that responsive service to our customer. Or, you know, if we’re, if the email the email may be written in a way to cause alarm to say, you need to save your account today from being closed. So it’s, they’re always trying to elicit a sense of urgency, whether it’s an issue with a customer or it’s your account has been compromised. Please verify your password. And you, so they want to elicit that sense of urgency to help, to prevent you from taking time to look at it and saying, this might not be right. Right. So, other things that you, you might find, or you often find phishing emails is poor grammar.

 Which may be just you know, something as simple as a misplaced period, or comma or words that are pushed together or you know, other just kind of basic poor grammar mistakes. We see that another way to detect this is to look at the URL before you go to it. So if there’s a click here link, you can hover over that and your computer will show you what the link is. If Chase is asking you to go to Chase’s website, and then when you hover over that link, it’s not a Chase link that should be red flag, right? You’re going to the wrong page. So looking at that URL comparing to where you think you’re going to, where they’re actually sending you is another one. But the sense of urgency is the one that I see across all phishing, phishing attempts.

VANNOY:

Yeah. So anything that the bank is the one reaching out to you, the payroll provider is reaching out to you, that those are the ones to, to instantly be suspicious of. So, so what, what, you know, some of these, so I, I think, you know, we, so we, we see these attacks, you know, in our business, you know, maybe it’s not every day, but it’s certainly every week. And I’d say there’s a lot of sloppiness out there, right? With grammar and font isn’t quite right. And yeah, just, you know, you, you’re, you’re hair stands up in your back of your neck a little bit and it’s like, hmm, this just seems wrong. But they’re getting better and better every day. So if, if you get an email that is unsolicited, Hey, we need to verify such and such and it looks perfect, font, color, everything, and you hover your mouse over, I mean, it could be a U R L that even includes,

GOHMAN:

Yes, the word

VANNOY:

That looks familiar to try traia, but it’s off by a few characters, is how they get a domain name to to, to do it. Yeah. What if you get this unsolicited email, what should you do? Cuz you don’t have to click on it, right? Just to find out if it’s real or not.

GOHMAN:

Yeah. The, the best thing to do is to go what we call in the, in the security world out of band. So you, instead of replying to the email or clicking the link, it’s picking up the phone and calling your contact. So if it’s a email that’s spoofing your payroll provider or your bank calling your rep and saying, I got this email. I’m looking at it and thinking, I think it’s suspicious, can you please, you know, please advise. And they will help you through that. Cause sometimes, you know, organizations do send emails that are asking you to do something again, so it could be su that could be suspicious, but you just, again, stepping out of the email process and reaching out to somebody and saying, Hey, I think this looks wrong. Can you help me?

VANNOY:

Yeah. It, it doesn’t even have to be a phone call, right. I mean, internally, you know, sure. We’d love a phone call. Cause you know, human beings is, is part of the layer. But if it’s an app, if it’s Yeah. A website go there. Yes. But just don’t click on the email Right. To get there. Right, right. Do your own send route of, of, of the circuit.

GOHMAN:

Yeah. Yeah. Absolutely. Yeah, definitely.

VANNOY:

Okay. So the front end, they, they figure out what, you know, the banks imperil providers login pages look like mm-hmm. <Affirmative>, you get some unsolicited email and something that is urgent, Hey, there’s a problem with your account. We need you to verify something. We think there’s been suspected fraud. Please, please verify some something to create a sense of urgency to get you to act, to hopefully not think in, act in fear. Yes. Not, not really rationally, right. Getting the old, the old amygdala. But then let, let, let’s say they do get you to click and you’re on the page. The user experience looks just like you’re on, say, your banks or your apparel provider’s site. Mm-Hmm. <affirmative>, take us specifically. It, it, it’s essentially nothing more than direct deposit transactions is is the most common, right?

GOHMAN:

Yeah. So once they’ve gained access to the system and they’re, and they’re in, and they’re what they’re doing is they’ve set up these pay card accounts you know, usually you can, you can set them up very easily usually with limited identification. And with them, they have a routing and banking account number attached to them. They’re not just a debit card or a credit card. And they use those accounts. They change employee direct deposit. Oftentimes if they get access to the payroll system, we’ve seen that they will literally change every employee to, you know, two or three accounts all at the same time. And then the entire payroll run gets diverted to these accounts. And it’s worth noting that there’s kind of a, they’re exploiting a technical vulnerability. Not to jump ahead, but this is really relevant here in the way that the ACH process works, just because there’s a delay three to five days delay in when funds are paid out versus funds are received. And so there’s that, there’s the the ability for them to receive the funds and then empty those accounts before anybody can call the transactions back.

VANNOY:

Jeff, go, go deeper on that. Cause these guys are absolute experts at the at, at, at the, in the banking system. They understand the movement of money and how ACH transactions work. Can, can you, I, I think, I think most people understand, Hey, you send an electronic transaction. Yep. it’s commonly takes a day or two, but walk through the details so everybody understands what really happens there and why this vulnerability exists. Regardless, this isn’t a, a, a paycheck issue or, or an Asure issue, an ADP issue or a QuickBooks issue. This is a banking system issue.

GOHMAN:

Yeah. It, it is. Absolutely. And it’s, it’s a, it’s, it’s a vulnerability that you’re, like you’re saying is across the entire payroll business. It’s, it’s not a specific system, it is just the way ACH works. The payroll provider has to debit the funds from the employer’s account, right? The, the, the account that’s funding payroll, and then they’re paying the employee accounts at the same time. But there’s that delay so that there’s a, there’s there’s a gap in when the fraud gets identified before, and then there’s no way to really recall those funds back. Because by the time it’s notified, by the time, essentially the employees are starting to call in to the business saying, Hey, we didn’t get paid today. The funds basically have already been emptied from their account. Because this really, it’s not just one fraudster. These are usually crime rings. These are people that are responsible for picking up those payroll cards and getting them kind of collecting. Then there’s people that are responsible for emptying the payroll payroll cards. And then there’s people that are responsible for kind of setting up the fraud, getting into the account, sending out the phishing emails, these sort of things. And so it’s really is kind of the new organized crime is really just moved online.

VANNOY:

Yeah. So let’s talk maybe a little bit, Josh, about how it’s so easy for this stuff to fall under the radar, right? Because this is not like, you know, as a, as a, as an entrepreneur, I pretty much know how much money I’ve got in my bank account. I’ve gotta, you know, if I don’t, you know, I know it within, you know, seven seconds with my thumbprint on my phone. And so I, I may not be surprised cause I’m not, I’m not looking at the individual transactions to my employees, but I’m like, oh, I thought payroll was gonna be x this week. Make sure X came out. Yep. Looks like that looks right. Because, because they’re stealing bank account information on a per employee basis, this flies under the radar a lot of times.

GOHMAN:

Yeah, certainly. I mean, if they’re, cuz they’re, they’re not stealing money directly from the business. Like, yeah, yo you’re saying they’re not logging in and taking money directly out of the, the business’s account, but they’re kind of manipulating the payroll system so that through the normal course of money transfer, that is the payroll process, right? We’re transferring money from accounts. Right. We’re just changing, or they are changing the destination right. Before, you know, so basically right before the payroll is run, they change the accounts, the payroll is run and processed, everything looks legitimate from the payroll processor side. And then those funds essentially are end up in the wrong account. And then you find out once the employees you know, start calling in and saying that they haven’t been paid.

VANNOY:

Yeah. Right? And so now you have an employee that by law, you still have to pay beyond law. It’s the right moral thing. You gotta pay him. Yes. But you, but your money’s already gone. So now you’ve got a, an employee who doesn’t trust you, you’re outta the pocket and, and you’ve got some bad guy somewhere around the world that has access to your system and you don’t know who it is and or even necessarily how. Right? Yeah. So, so what, what, what, what do you do once you, once you learn there’s a problem?

GOHMAN:

Yeah. So obviously you have to, so it, you have to start the investigation process. And that’s starting the conversation with your payroll provider to say, when were the transactions, when was it changed? You know, obviously, you know, as a business owner, you know that you didn’t change the accounts because you, your employees aren’t getting paid. So you have to start the conversation of saying, okay, how can we investigate? How can we find out where theran where the changes were made? And so looking at the timestamps within the system saying, okay, these pa these accounts were all updated on, you know, Thursday you know, before a Friday payroll all at the same time or within, within a few minutes of each other. So clearly that would identify fraud. The question then becomes, cuz you, you, you brought up, well, my money is gone.

How do we, you know, how do you determine who was responsible? So the, this fraud, payroll diversion can happen on kind of both sides of the coin. So it could happen because the small businesses account, right? So you have access to your payroll system to update employees and, and, and modify payroll, et cetera. So it could happen on, by compromising that account, it could also happen on the payroll system, right? Payroll provider. So this is, is a a vulnerability that’s, that’s kind of across the board. And so they have to determine where that fraud happened. And then generally that business would be the one that would be responsible for, for you know, covering that, that loss.

VANNOY:

All right, so I’m a, I’m a big company. I’ve got a payroll manager and probably a, probably reports to a CFO or a controller. They’re trained in all this stuff. I’ve got great security. You know, what, what, what, what kind of guidance would we give to the average small business where the person running payroll probably has many hats. It could be the owner, right?

GOHMAN:

Oh, no, you’re absolutely right.

VANNOY:

Or maybe it’s an office manager, right? Maybe it is in a bigger organization, it could be director of finance, could be the controller. But payroll is just one of their jobs, you know? So I’m thinking I, I just know how many hats, you know, say an office manager might wear that I think has some extra vulnerabilities. What, what, what guidance will we give before we start talking technology?

GOHMAN:

Yeah. So definitely you know, again, not to jump ahead too much to the section on human, human vulnerabilities, but training you know, as a small business even as a smaller, a medium-sized business, the, you know, pound for pound, dollar for dollar, the best return on investment in security that you can make is training your people. Security awareness training can be for a few dollars a year per employee and can pay huge dividends in the employee’s awareness on things like not reusing passwords, creating strong passwords, looking and identifying phishing. I mean, these platforms often include you know, phishing simulation that with a few clicks, you can send some employees simulated phishing emails and test their, their awareness in the, while, basically during their, their course of their job, to a very simple, very easy cost effective strategy that can, that can scale from a small business with five employees to a, you know, mid-market business with 500 employees. The same solution would cover both.

VANNOY:

Yeah. Awesome. I appreciate that. So, we’ll, we’ll, we’ll go a little bit deeper into the two different types of different paths. Now, technology and in human you know, we spent 25 minutes talking on this topic. On one hand, it’s a 32nd topic. Oh, you get a phishing scam email, don’t, don’t click on it, right? It’s that obvious because people log into your payroll system and they can change the, the account numbers and routing numbers and direct deposits go to them. Mm-Hmm. <affirmative>, it’s, it’s, it’s super simple. But all the ways in which, and the sophisticated ways in which it happens it is why this is the number one type of fraud that exists. And it could, if you’re a small business fighting for your life through a, a, a pandemic here, you know, this is the kind of thing that could put you out of business. So I would say just take it with a dead seriousness that, that we intend and why we’re making a whole on our webinar on it. So let, let, let’s, let’s take it to a different angle here and just talk technology, Josh. So you know, even if you’ve got perfectly trained human beings that know not to click on stupid stuff there are still technology vulnerabilities that exist. You know, what, what are, what are some of those?

GOHMAN:

Yeah, so I mean, I think, you know, just at the core level, you know, what, what’s a vulnerability, right? It’s just a flaw in a piece of software that allows someone to, you know, manipulate it to gain access, to gain inappropriate access to a system. And so those vulnerabilities can can really occur in any piece of software. And that could be your phone. So iOS or Android, they have vulnerabilities. Absolutely. I know especially like Android quarterly, you’re getting security updates, right? That’s to patch security holes. Same thing with Windows. We’re all very familiar, probably with the Windows update process. The vast majority of those Windows updates are security related. They’re, they’re, they’ve determined that there’s a whole in that vulnerability or that then that software and that this is the patch for it. And so

VANNOY:

Maybe more specifically, if some other bad person found the vulnerability and they learned about it the hard way, so that Oh,

GOHMAN:

Yes, absolutely. Yeah, absolutely. That’s the worst kind, the ones that are found by, by attackers before they’re identified by the vendor. Yeah. Right, right. Because really, I mean, you can install antivirus software on your, on your, you know, computers or on your phone or other technology, but if the vulnerability isn’t there that the virus was intended to exploit, it doesn’t work regardless of whether you have antivirus or not. I’m not saying don’t have antivirus, but what I’m trying to get at is that updates, you know, making, ensuring that your systems are updated, whether, you know, again, and that may be difficult if you’re, you’re a five person small business, and as you said, Mike, everybody’s wearing multiple hats. Are you trying to do this yourself? Do you have a, you know, an IT partner that maybe manages that stuff? You know, and certainly as you get bigger to a mid-market 500 employees, the technology grows exponentially. Servers, printers, computers, phones, it all grows exponentially with the employees. So it’s just becomes more difficult to manage. You know, I other,

VANNOY:

So go ahead, recap that one. So just the obvious stuff, like apply the windows, update <laugh>. Yeah. Subscribe, subscribe to auto updates from your software provider, from your, from your operating system, of your computer to your, to your network. Right? Just, yeah,

GOHMAN:

Absolutely. And it’s not just the operating system too. I mean, it’s, it’s with Windows and with, with, with max third party software that you have installed, that’s where it becomes, you know, a little more difficult because maybe the auto updates doesn’t catch it all. But, but certainly when there’s an auto update functionality, do it, and when it pops up and says, Hey, you need to restart your computer, or, Hey, you need to apply this update, you know, take that with seriousness because it’s trying to fix an issue with that software.

VANNOY:

Yeah. And, and it’s, it, it’s, it’s cause they found a weakness mm-hmm. <Affirmative>, and it’s probably, they don’t admit it, but, you know, yeah. When you, you know, come in, if you live in the technology world, you know that, you know, there are bugs that come along with new releases, but when we’re talking about platforms that have existed live in the wild, in the, in the marketplace for many, many, many years, if there’s a security update, it’s probably cuz somebody else found a hole that didn’t know existed. So, absolutely. Take that serious. All right. How, what, what about, you know, if, if people do get access, you know, it’s, I’m thinking like data, you know, database vulnerabilities versus, say hardware or network vulnerabilities.

GOHMAN:

Yeah. So I mean, at the, at the small business and really at the business level in general, so as far as preventing unauthorized access, you know, this is really where an ounce of prevention is worth a pound of cure. You know, preventing someone from getting in is really the key. And so that’s securing your accounts, not using, not reusing passwords over and over again. Creating more secure passwords. So, you know, humans, and, and I tell you a, as a security person, I, we’re complicit in this as much as anybody, right? We’ve taught people to create bad passwords over the last 10 or 15 years and now we’re kind of paying the, the, the piper, so to speak. You know, by making people change passwords routinely, one of the things we’ve found is that people just will kind of create a different permutation of the, that password.

They’ll change one character. Yeah. And humans are very predictable. We like to work in patterns. So typically passwords created by a human have capital letters upfront, lowercase in the middle numbers and symbols at the end. So it’s very easy to look at a word and say, what could a password used based on that word be? And then it’s, so, it’s easier to guess. So how do you not do that? Well use technology. There are password managers that will generate passwords for you long, complex passwords, and then not require you to remember them because it will help you autofill, whether on your phone or on the web or on your computer. And so really kind of taking that guesswork out and by just, you know, let technology do what it does really well, and let’s create random passwords versus trying to do it itself. Gosh,

VANNOY:

I’m thinking, I’m thinking I should have had a poll as part of this webinar. How many people got a little cringy when Josh just said capital letter in the beginning, <crosstalk> numbers at the end? I know I did a little bit

GOHMAN:

<Laugh>. I know, right? It’s just, it’s the way that our language works, you know, especially, you know, western world, we, we write from left to right and capital letters start the sentence and then lowercase, and then, oh, let me just throw some numbers and special care on the end because the system tells me I have to have it. It’s just, yeah.

VANNOY:

They turn out to not be so special. They’re your, they’re the end of your phone number or your street account or something, right? I mean,

GOHMAN:

Yeah, yeah, yeah. Absolutely. And, and you know, the, the newest guidance coming out from the security world now is to forget all of that and create kind of words based or passwords really more of a passphrase than a password. So think something like Mary had a little lamb, but not usually something with just maybe four random words put together that don’t form a sentence. They, it creates much. If you have to have a situation where you have to create the password yourself, that’s an easier way to do it. Right? just four words that you think of and then put them together and it just, it won’t, it’s very difficult for an attacker to guess that.

VANNOY:

Yeah, yeah, yeah. That, that, that’s good advice. So you know, again, we, we think about the James Bond kind of movie scenes. This is not, I mean, well, while maybe in theory, you know, it’s such a huge percentage of people who do payroll, you know, it’s, you know, maybe it’s on your lo you have a local install of QuickBooks, but I mean, are people really gonna be hacking the inner workings of QuickBooks when if they have access to your computer and the login, they’re just gonna, they’re just gonna do a diversion tactic, right? Why, why, why? There’s no need to get into the quote unquote database or the software under the covers. If you have a legitimate user, right? Put a screen cap, then get access to the machine, put a screen capture on, and capture your keystrokes and figure out your login, and then just have, have at it that, so can, can you maybe speak to that, that, that I think it’s a little bit of a misnomer that the technology side of this really isn’t the threat that maybe everybody thinks it is.

GOHMAN:

Yeah, that’s really it, right? So it’s, it’s, while there’s a technology aspect of it, it’s really, the attackers have figured out where the seams in, you know, operations or processes are, and they look to exploit that you know, maybe where you are again, leveraging a vendor or partner to, to offer a service. So there’s a gap there where you think they’re doing it, they think you’re doing it, and then the, the, the attacker can exploit that, whether that’s malware or phishing or, or whatever. But it’s really kind of the, the people in the processes side or, or the human aspect that really kind of makes the vulnerability more exploitable or really makes it exploitable at all.

VANNOY:

Yeah. So, so do you think, is it safe to say then from the tech, you know, certainly there are maybe small, lesser known maybe regional local payroll providers that, you know, you, you really should be maybe concerned about. But for the most part, you know, you take a national company, an adp a Paychex and Asure, I mean, you’re not hacking our stuff cuz it’s an AWS and you’re not gonna hack AWS as world world class, right? You’re not gonna get behind the, behind the systems not gonna get in the database. You’re never gonna get in the firewall. Cuz and, and, and same thing for all the big nationals, right? This really is more, more of a human issue that involves some technology stuff, right? Yeah.

GOHMAN:

I mean, in the end, attackers are lazy, right? They, they want to employ automation, they want to use scripting to, you know, blast out automated phishing emails or to, to, to send malware out, you know, through other compromised systems that they’re just, it’s not like, again, it goes back to it’s not the movies where some person is just, you know, manually typing thousands of lines of code to try to break in. They’re looking for the path of least resistance. Yeah. What is easiest way into the system, like you said, they’re not going into AWS and breaking through 15 different layers of security to try to get into where the database is, to extract data from that and then have to figure out how to monetize that somewhere else. Right? Right, right. They want to go right to the source. You’re moving money from one account to another. Let’s attack that directly and get them to move money directly into my account.

VANNOY:

Yeah, I mean, the best system on your house is a well lit front porch, right? I mean, exactly. It, it’s, it, you know, criminals are gonna look for the unlocked car <laugh> by just simply lifting the handles and see which doors are locked or, or not.

GOHMAN:

So, yeah, exactly.

VANNOY:

So, so with that, let, let’s, let’s ju then jump to bucket number three, which is, I think where the real vulnerability is. And we, we hit on a lot of this on this, you know, the phishing emails and payroll diversion, but, you know, let’s, let’s go deeper on what the human vulnerabilities are when it comes to payroll. Cause I think, I think this is the biggie.

GOHMAN:

Yeah, yeah. I mean definitely we talked about kind of people in training awareness of you know, for phishing. But there’s also you know, the, I would say processes. So processes may straddle both technology and people, but really we’re gonna probably just talk about it here. Cause I think it best fits this way. And so it’s, you know, when you are a small business and there’s five people and you’re the business owner and you are, you know, running payroll, you’re managing the books you’re kind of managing all of those back office kind of administrative tasks, right? There’s, there’s a very low risk of fraud because you’re the one doing it all. And then as you, you know, but as you grow invariably, right? Cause that’s the intent. We want to grow, you’re not gonna be able to do it all and you’re gonna have to hire people that handle those processes for you.

And then it’s at that point then it’s, are you, you know, looking at, you know, background checks, credit checks, you know, to verify people who they say they are and their background right there to kind of look at the, the humans directly. But then what about processes? Again, when you are the one, as the business owner doing the books and the payroll, et cetera, right? There’s probably not really much need for someone to check, double check you in the sense, cuz you’re probably not trying to defraud yourself. But as more people become involved in the system, there’s also, you know, not just from a fraud like theft, but, you know, error, human error. There’s just more errors that could be brought into the system. So it’s how are the checks and balances or in the security world we call separation of duties. So how are the, the checks and balances in your processes created to, to review the different processes to make sure that the possibility of error is reduced, the risk of fraud is reduced, you know, by, by double checking someone’s work and that sort of thing.

VANNOY:

So, you know, we, I we, we tend to think of you know, criminals as these these evil characters with bandit, with bandit’s masks over their faces, right? Yeah. But the, the, the really, really sad, harsh reality is an awful lot of payroll fraud is insider stuff, right? It, it’s not somebody from the outside that gets, it’s, as a result, result of a phishing scam. It’s the office manager whom you, you’ve, you’ve had in your home and you love and trust. Yeah. And all of a sudden, 10 years later you are flabbergasted awestruck to learn for the last six years you’ve been, you’ve been being stolen from, right? So talk to us about what some of those checks and balances look like for a good, healthy and and trustworthy company. Cuz we, we, we don’t want, you know, we, if you’re trying to grow your business, you don’t want people that feel paranoid, like you don’t trust them to do their job. Yeah. But you also need to have reasonable guardrails up the checks and balances. Can we, can we talk through what some of those might look like?

GOHMAN:

Yeah, absolutely. Certainly it’s, you know, setting the right flags within the system. So if payroll is beyond a certain point, I mean, you know, you know what your average payroll is on a payroll run, you know, say maybe even plus or minus 10, 15% you know, you may know that, you know, your, your bonuses are only run once a quarter. And so set the flags up in that system that if, you know, the payroll exceeds a certain point, that it requires an additional check, right? Whether that goes to you or, you know, you’re partnering with a payroll provider, have the checks at their end, say, you know, have the conversation with your account rep and say, my payroll each week is $10,000. If it’s $12,000, I want an email, or I want a phone call, or I want some notification that where I personally approve that to make sure that that this is legitimate, right?

Or if we run an out of cycle bonus or other pay or an out of cycle payroll you know, that I’m I’m informed to use the, use the checks that are within the system, use your relationship with your vendor partner to to kind of create those additional checks. You certainly could create a check where, you know, before a payroll is run, the payroll administrator preps the payroll, and then just you, you required to look at it as a, as a business owner or as an, and maybe another person. Maybe you have the office manager run payroll, but your bookkeeper would be the person that reviews the payroll and approves the payroll before it’s sent, right? So separating those duties out where two people have to look at a particularly vulnerable or risky process,

VANNOY:

Talk about reports as a source of vulnerability and, and specifically, you know, some people still love paper, right? And, and

GOHMAN:

Yeah, ly so certainly, I mean, data in any form, especially personal data is a risk. So whether you have it around you have too much of it. If you’re retaining records on employees or, or people longer than you need to, that’s a risk. And, you know, once you print something, you can lose track of it very quickly. It can be left on a desk. The cleaning crew can come in after hours and, and, you know, pick it up. Or it could be thrown away in the trash and someone could be pilfering through trash and find information that way. And so, certainly again, you know, as many, many people still prefer to touch and read paper but limiting that or having a disposal process, right? So, you know, if your business, your office, you know, have a shred bin or a shredder and that’s where paper reports go.

Like, we don’t, we don’t put paper in the trash, we put it in the shred bin and it goes there. So certainly, and, and then trying to limit, especially right now with so many businesses working from home is very difficult. Many employees, I’m personally just let you know, I’m a longtime work from home person ever since I got out of the army a few years ago. So I’ve been working from home for a long time and I, i I would say fairly skilled at it. Maybe we’re all fairly skilled at it now. But one of the things, you know, now working from home printing paper is a, is a big risk because are your employees who usually would just walk to the shred bin and throw it in the shred bin there in the corner by the break room what are they doing with that at home?

And how can you verify that they are doing or aren’t doing it? So if they do have a shredder maybe you’ve provided it, maybe not, maybe they have one. How do you control that? How do you ensure that they’re shredding it? So that that becomes a very you know, again, a fairly vulnerable process because there’s very limited way to check. And so trying to get, you know, employees or getting employees to reduce the amount that they print especially when they’re away from the office is a, is a definitely a big security risk.

VANNOY:

Yeah. You know what last point, let’s maybe jump in and then we’ll hopefully have a, just leave a few minutes here for q and a. Yeah. and as a, as a a note, if you guys on the call in the GoTo webinar user interface, there’s a section for questions, go ahead and type ’em in there and we’ll get to as many as we can just in a couple minutes. But at the end of the day, it, so if hackers, if the real threat isn’t necessarily getting behind the scenes hacking data centers and databases, it really is just physical access to the computers, the phones in, you know, login in username and, and password information. That’s where the real threat is. You know, may, maybe it’s not the insider job of that office manager who really is a trustworthy soul. But what does that person have to do? What, what, what should, what safeguard should be in place to make sure that no one else, maybe the brand new employee that, that you don’t have the relationship with? Like, I, you, you said earlier, maybe it’s the cleaning crew, right? Maybe it’s the person who comes, the waters, the plants. What, what do you gotta think about? Just simply physical access from com, from the hardware, but then also access to the software.

GOHMAN:

Yeah. So it’s really looking at like the end to end life cycle of data. So where do I get it? How do I store it? How do I handle it while I have it? And then how do I destroy it? So it’s like looking at all along that process. So maybe it comes in and you have it via email and it gets stored on a server and then, you know, it gets printed. Then what do you do with it Right when it gets printed? How do you destroy that? And then ultimately, how do you delete it off the system when you no longer need it? Right? Really, cuz go back to this. We all, I often oftentimes get this, we don’t wanna throw anything away because we don’t, or we don’t wanna delete data because I might need that. But any data that you have, especially about people, is a risk.

 It’s a risk of compromise. It’s a risk of breach. Someone could come in and, you know, steal a computer or they could lose a computer, you know, their laptop, they’re working from home, they, or, or they’re on the road, they leave it in, their car gets stolen reports get stolen out of a briefcase or at a coffee shop. So they’re all, it’s all risky. So it’s really looking at that, how, what is the life cycle of your data? So how do you get it, how do you handle it, store it, and then how do you delete it?

VANNOY:

Yeah. Very good. All right. So if, if you get, if you guys wanna pop into the question section, put your questions in, it’ll take ’em a second. So if you don’t know who Assu is we are human Capital Management Company. We have payroll and tax, HR and time and attendance software and HR services designed specifically for companies to help them grow. So our job is to, to give you the tools to, to pay your employees, attract the right people, find the right talent, develop that talent to get everybody behind your vision and, and all doing so in a way that, that, that helps you manage your money and stay compliant and, and out of trouble with the law. So with that, if you wanna go to the question answer, we will take the next few minutes and, and answer some questions.

So let me pop this out. Okay. We’ll, the slides be, be available. So this entire deck is the, the session is being recorded and everybody is gonna receive an email tomorrow. And this will be available for on demand on our website to use it at your leisure. So okay, folks appreciate folks on prevention. I was, but I was burned in my recent I won’t say the name of the company because it was part of payroll system I was using. The insurance company denied the claim for money loss, they said, said I had given the fraud access to the funds and that voided the coverage. Please comment on the insurance side of the issue and what is customarily covered or not. So you know what I, I’ll I’ll say from the jump, I’m, I’m Josh, I’m gonna ask you to comment, but I’ll say from the jump, this is, this is a little bit out of our world, cuz this is gonna be very specific to your insurance policy and for you to work out with your carrier. So it’d be inappropriate for us to make a declaration on the topic, but Josh, what, what, what would you have to comment on that? Yeah,

GOHMAN:

Absolutely. I mean, I can, I can comment from maybe my own experience. I mean, this is something that we deal with. I deal with the cyber insurance our carrier and, and our coverage you know, all the time. And so one of the things is, so kind of, it goes back to processes and training. You know, that oftentimes on the, the you know, your insurance application, they’ll ask questions about did you conduct training? Did you conduct phishing simulations? Do you have, you know antivirus windows updates, you know, these sort of things turned on. And so the, the better that you’d actually do all of those things, right? Provide training to your people potentially do phishing simulations you know, ensure your computers are updated and that you have all of the basic security software like antivirus and those sort of things on there reduces that potential loophole for the insurance to come back and say sorry, you didn’t have X or you didn’t train your people. So, you know, we can’t cover your claim on payroll diversion. I have seen claims be covered. I have, we’ve gotten claims covered. This is, so they, I do know that they are covered. It’s insurance companies are what they are sometimes. But I would just say is that making sure all of your bases are covered and that ensuring all of the kind of basic safeguards are in place will help prevent you know, that denial coverage.

VANNOY:

Hey Josh, we got one of, one of somebody on the, on our show here today. Bringing up a, a different type of, a different flavor, if you will, of peril diversion phishing email that they had at their company. Let’s, let’s explore this one. So they had an email sent to their HR department, had that had the employee’s name asking them to make the change. So, so <laugh>, it wasn’t even their own fingers getting dirty. Hey, payroll manager, give me, gimme your username and password. It’s, it’s very <laugh> a good looking email that looks like it’s coming in front of your employee saying, Hey, I just changed, just moved to change banks. Can you change my information to such and such?

GOHMAN:

Yes. Yeah, absolutely. I mean, I can imagine, you know, a sure software with all of the number of employees that we have that say payroll specialists, we, we see hundreds of these emails in our environment a day. And it’s, it goes back to a couple things. One you know, people often ask, how do they know I was the payroll manager? How did they they know that I was the person they’re supposed to send the email to? Yeah. You know, open source intelligence gathering things like LinkedIn, your company webpage. There’s, there’s just dozens of sources out on the web where they can collect information about who works for what company who is the payroll or who is the HR manager. And then it’s literally using tools very similar to, and I’m sorry to, to do this Mike, but that marketing folks use to send automated emails.

The fraudsters are using to send these spam emails. So they’re not using the Marketo and the HubSpots of the world, but they’re tools that are essentially doing the same thing. They’re sending automated emails that, that fill in data, right? So that takes employee name that I’ve got from this list and I send it to, you know, employee X, you know, the payroll manager, right? So I found the HR manager sending that email. So it’s very all automated and yeah, they’re absolutely trying to manipulate. The worst is that I’ve seen is that they’re, they’re spoofing the ceo, you know, or other high paid employees who a may not check their bank account every week, right? And so it may go two or three weeks before they realize they didn’t get paid. And then also it’s a bigger hit to the company. But yeah, that’s a very common form of threat. It’s, it’s the good news is that you, luckily you’ll only usually get one, maybe two employees at a time. The reason we focused on the broad payroll diversion is because, you know, a single company in a single instance could lose 80, 90 or a hundred thousand dollars. Literally might be to the point where you might be put out of business. Cause with that significant amount of loss, but absolutely the individual payroll fraud is just as big of a threat.

VANNOY:

Yeah, that’s a common one. I, I get the occasional email that’s from my boss, our ceo, and it’s an easy name to find as a publicly traded company and he has a very specific style of email. So there, it’s usually not hard to, to say that doesn’t sound like that’s not how he talks to me. Yeah. but it’s, Hey, I need help with such and such, can you please do X, Y, Z? Yep. That happens all the time.

GOHMAN:

Mike, on just one thing is, I would say is that that comes back to the people and the process aside Yeah. Is what is your process for verifying that somebody is who they say they are when they make a request like that via email, right? So it’s, it’s just like if in the IT world, if someone sends a request says, Hey, please reset my password, how do I verify that the person on the other end of that email, which you can’t do, is who they say they are without going out of band, making a phone call or typing up or starting a whole new email and responding to that employee completely separately and saying, Hey, I got this request. Is this legitimate? Right? Or making the phone call and saying, Hey Bob, did you change, did you just send me a request? Cuz it looked suspicious And I just wanna check before I do it.

VANNOY:

All right, I’m, I’m gonna take one last one I know we’re at, at, but alright. Right. We switched from a paper copy to the employee logging into their payroll portal and changed their own direct deposits themselves. We in turn get notified the employees made, made the change. You still recommend us contacting the employee to make, make sure that they made that change.

GOHMAN:

So lemme just make sure I got this correct. So when the employee makes the change, you get notified that the employee makes the change, the employee has made the change.

VANNOY:

Yeah, that’s,

GOHMAN:

Yeah. Okay. Got it. Right. So no, I don’t necessarily think so. So I mean, if the, you’ve left it to the employee and hopefully you’ve encouraged that employee to use a strong password you know, potentially even multifactor authentication or otherwise secure their account. But no, that’s, and, and actually in that scenario, that is the control that I would recommend is that if you’re giving it to the employee to let them self-service, which is a good practice, that you’re still getting that email and you’re notified when the you know the, the direct deposit was changed because if, say, more than one account was compromised, or if somebody’s account was compromised and they changed all of the accounts, you’re getting those emails saying, Hey, these accounts are, are, are, have been changed. And it gives you the opportunity then to go in and say, no, this isn’t quite right.

VANNOY:

Which, which, which kind of brings us full circle, right? There’s a technology component and a, and a physical human being process component. Because when it’s not just the office manager as a singular human being that can make these changes, but now it’s all employees can change their own direct deposit. So that criminal doesn’t like that as, as well, because they can only, the max they could get is however much your paycheck would be. What they wanna do is they want to go and change five or 10 or 50 direct deposits accounts the night before a payroll run. Mm-Hmm. <affirmative> and sweep your entire payroll because they’re greedy. But nonetheless, if you got 25 employees, you just took the vulnerability from one person and you spread it out to 25, which makes all that much more important if you’ve got good technology processes, if you’ve got good human being processes, you’ve got good training in, in, in, in place in, in ways to inspect.

So I, I, I, I would agree. But thank, thanks Terry, for that question. All right. We’re over on time. We’ve got a handful of questions left. I apologize we couldn’t get to all of them. Some of them are pretty specific on product. And this is not meant to be a sales pitch. This is meant to be an education for everybody regardless of what platform you’re using. So if, if you asked a question that was specific, Hey, does the system or does your system do such and such I would love, we’d love to have a conversation with you. Hop on the website, fill out a form. We’ll have a, a salesperson in contact with you and we’ll get you a demo and you can ask all those questions you want. But until then I wanna thank everybody for their time and look forward to talking to you on our next webinar. Thanks, Josh.

GOHMAN:

Yeah, thank you.