Many large payroll providers emphasize the benefits of automated software that can help to streamline redundant HR tasks and save businesses time and money. In truth, these services and technologies only work when they are thoughtfully managed by payroll experts who can provide prompt customer service and make responsible security decisions when pressing or time-sensitive issues arise.
We recently sat down with Workforce PayHub’s owner, Eric Jones, to discuss how Workforce PayHub responded to a payroll security threat one of its clients faced, and how, through a swift and collaborative effort, they promptly resolved the business’ external cybersecurity threat and used it as an opportunity to emphasize the value of their new cybersecurity standards, including multi-factor authentication, strong passwords, and recommended training.
Interview
Q: So, Eric, tell us about what happened recently.
Eric Jones: So, we do closeouts in the afternoons for any clients that have processed their payroll so far that day. These are usually finalized by about 4:45 and then bank files are normally sent by 5. After that, life is good.
Q: But you noticed something unusual as you were reviewing one client’s data?
Eric Jones: Well, Samantha from our team noticed that there were 3 payrolls, similarly named, that were processed for our client. She thought it was odd because the client didn’t have any scheduled payrolls for that day, but had submitted 3 that appeared random and with unusual details and seemingly random amounts. Occasionally our clients will do two payrolls in a day, but three is noteworthy.
Q: But she managed to catch this just before the closeout?
Eric Jones: Yes, exactly. It caught her eye, so before anything was actually sent, she spoke with another team member, Courtney, who agreed that the situation seemed fishy. So, they went in and took a closer look. Sure enough, there were a bunch of bonuses – some taxable, some nontaxable. After they notified me, I took a look at it and I knew it had to be fraud.
Q: What were your next steps after that?
Eric Jones: So, we immediately didn’t process them. We put them all in a held status and contacted the customer directly. We tried the customer’s office number, then sent an email explaining that there was an urgent concern. Although we weren’t able to reach the customer this way, we had their personal cell phone number and ultimately were able to explain the situation by phone and start to clear things up.
Q: What were the specific characteristics of this attack? Do you have any sense of how it originated?
Eric Jones: Definitely. So, in total there were 4 payrolls created and 3 of them had been processed, with one in a pending status. We discovered the core issues over the course of an investigation, but started by stopping any ACHs from taking place. We held all of those and rolled them back. We put in a case with our engineering team so they could immediately look into the issues. They were able to determine that it was an international (non-domestic) IP address conducting the attack. We told the customer to call their IT team immediately because their computer had been compromised.
Q: And were you and their IT team able to pinpoint the issue on the customer’s computer?
Eric Jones: Yes. Sure enough, there were viruses and some sort of bot on the customer’s browser. The bot was able to watch the customer’s keystrokes remotely and learned the customer’s email password, which allowed the cybercriminal to hack the associated email, as well. The customer had clicked on something the prior Friday that installed the bot. The attack was sophisticated and allowed the cybercriminal to gain access to the customer’s email and likely some other systems. Ultimately, the cybercriminal was able to reset the customer’s password, lock out their account, and log in themselves to create 4 new payroll submissions.
Note: This is one of many reasons Workforce PayHub strongly emphasizes the value of multi-factor authentication. With multi-factor authentication, even when an unlikely attack like this occurs, a unique passcode must be sent to a client-owned device to complete the login process, which immediately disempowers a cybercriminal from successfully hacking an account or system.
Q: What was the scale of the cyberattack in terms of the number of employees who could have been impacted?
Eric Jones: After gaining access through the client’s computer, they went into about 15 employees’ personal records and changed the direct deposit account information to a foreign bank. Again, it was sophisticated in the sense that they made some of the earnings taxable while others were nontaxable reimbursements. They were able to run 3 of the 4 payrolls before this was resolved. With this particular customer, they had been processing their own ACH files or draft deposit files with their bank. Normally, we manage all of this for our clients. In this case, I encouraged the customer to confirm that their bank files had not been uploaded to the infected computer or related systems. Fortunately, these files were secure, and in addition to the other security measures that we, our engineering team, and their IT team took, we were able to work with them to completely resolve the issues.
Q: What steps did you take or recommend in the immediate aftermath of the cyberattack?
Eric Jones: Their whole organization is now required to use multifactor authentication for their email. IT made that change on the following Monday. Now everyone has to have a cell phone or another email backup, which is what we have for our company (all devices) and recommend to all of our customers.
For the customer that was targeted, they had another security issue that needed to be addressed. Specifically, their “reset password” links were defaulting to the last 4 digits of each employee’s SSN. If any personal data was compromised in a cyberattack, a cybercriminal could have used this information to hack an email account around the time of a password reset. Now, the customer and its organization require stronger passwords with more characters and the last 4 digits of the SSN can no longer be used in the system for resets or usable passwords.
Q: It’s great that you and your team were able to respond so quickly and notice this issue in the first place.
Eric Jones: Well, Samantha and Courtney did a great job catching this, which allowed us to stop processing immediately. And we called the client personally to talk with them, get all of the information we could, and take the necessary steps to resolve things quickly. This is part of the reason why we really harp on multi-factor authentication and strong passwords for our clients. It’s not to be annoying or cause headaches, but because these compromises can happen and some simple steps can protect information from getting hacked in a similar way.
And, from our perspective, we take security (backend security and the security measures our clients take), very seriously. That’s why we’re going a step further to introduce updated security requirements for all of our clients, which includes multi-factor authentication, strong passwords, and other recommendations for employee training and closer collaboration with IT staff.
Enjoy Secure and Efficient Payroll with Workforce PayHub
Workforce PayHub uses stringent security protocols to keep its clients and their data protected, providing a combination of leading-edge software and personalized customer service. We’re invested in demonstrating our daily commitment to the success and wellbeing of your Great Lakes business, whether it’s by integrating your HR processes, providing workforce consulting, optimizing payroll, or keeping your business compliant with regulatory changes.
Looking for customer support and security measures that go above and beyond industry standards? Contact us today to let us support your mission.
Subscribe to our newsletter today to receive the latest updates on HR best practices, labor law regulations, and other news that impacts Great Lakes businesses.