Businesses continue to face serious cyber threats that target payroll and tax information. As scams become more common, it is important for companies to protect sensitive data and stay compliant with regulations to better secure their payroll processes and reduce risks.
Cliff Steinhauer, Director of Information Security and Engagement at The National Cybersecurity Alliance (NCA), recently highlighted the importance of recognizing common payroll-related tax scams, understanding the evolution of data security threats, and leveraging advanced technology to safeguard payroll data.
He pointed out that cybercriminals are employing more sophisticated techniques, including artificial intelligence (AI) powered tools, to execute complex phishing and impersonation scams targeting payroll and business communication systems. Despite these advancements, basic security measures like multi-factor authentication remain crucial in preventing such attacks.
Vulnerabilities for payroll during tax season
Steinhauer explained that payroll departments are particularly vulnerable to scams and phishing attacks due to their involvement in money transfers and changes to employee accounting information. He noted that during the tax season, the volume of communications with employees increases, making it easier for attackers to exploit this busy period.
“[Payroll professionals] may be dealing with a lot of communications with employees during tax time if employees have questions or are asking for copies of documents or Forms W-2…or even updating…their W-4s,” Steinhauer started. He added that cybercriminals exploit the busy payroll and tax season by inserting themselves into the communication flow, taking advantage of the heightened activity and exchange of information during this period.
Techniques used by cybercriminals
Some common tactics include phishing emails and impostor emails, where attackers pose as employees or vendors to request changes to deposit information or sensitive data. Steinhauer stressed that business email compromise (BEC) is also a significant threat, where attackers use compromised email accounts or create look-alike email addresses to insert fraudulent requests into legitimate email threads.
“So, [these] types of scams are very dangerous because they’re exploiting the trust that’s built into somebody’s contact on email, which is a super common way of communicating, obviously in today’s business world,” he noted.
Steinhauer added that although this can be difficult to detect, implementing out-of-band confirmation processes and training employees to recognize suspicious emails can help mitigate the risk.
Other methods include SMS phishing (smishing) and spear phishing, targeting payroll personnel with text messages or highly targeted emails to reroute money or disclose sensitive information. Additionally, attackers are using AI to enhance phishing tactics, such as finding phishing domains, setting up fraudulent web pages, and crafting convincing emails.
“So in addition to those two or three threats, we see AI playing a part in those where it can help attackers find available phishing domains…set up fraudulent web pages that collect sensitive data…craft more convincing phishing emails…[and] proofread and rewrite emails for proper grammar and spelling,” Steinhauer remarked.
Despite these advancements, he noted that traditional security measures remain effective in mitigating these threats.
Growing scale and sophistication of cybercrime
Cybercriminal tactics are evolving and becoming more sophisticated, leading to a higher volume of attacks that are harder to detect. Steinhauer said that contrary to the image of lone hackers, these attacks are often carried out by large, organized groups with specialized skills, operating on a global scale. He noted that these groups function like businesses, with coordinated efforts and structured operations.
“The business of cybercrime continues to grow every year,” Steinhauer began. “It’s all getting higher volume and they’re now starting to use AI to…make these things better, faster, cheaper, and higher amounts of everything.”
Best practices for protecting sensitive payroll data
To enhance payroll security, Steinhauer explained that businesses can implement both technical tools and human-related training. On the technical side, email clients can flag first-time messages from unknown senders, and AI can detect common scam methods.
He said that encryption for data at rest and in transit, multi-factor authentication (MFA), and monitoring unusual activity are essential security measures.
Steinhauer added that “payroll and accounting people [are] a highly targeted group of individuals [on] the front line defense of [an] organization” who should be empowered “to make decisions and to report unusual activity” by establishing “a culture of security” that involves IT and security teams “when they see something that’s wrong.”
Training for employees to recognize and avoid payroll-related tax scams
For human training, Steinhauer stressed well-documented processes for approving changes. Employees should not be able to change direct deposit information via email alone and additional verification steps, such as phone calls or in-person ID checks, are necessary.
He added that “payroll and accounting people [are] a highly targeted group of individuals [on] the front line defense of [an] organization” who should be empowered “to make decisions and to report unusual activity” by establishing “a culture of security” that involves IT and security teams “when they see something that’s wrong.”
Some training methods Steinhauer suggested include videos, bulletins, and simulated phishing emails to help employees recognize and respond to threats. He added that an integrated security program combining technical controls and human awareness is vital for protecting payroll and other business data.
Retrospective meetings for security improvement
Just as payroll departments conduct year-end retrospectives to evaluate their processes, Steinhauer advised companies to hold regular meetings to assess data security threats. These meetings allow departments to reflect on past challenges and successes, and to plan improvements. He emphasized that including security teams in these discussions ensures that security concerns are addressed and that departments are aware of potential threats.
Pre-season security huddles
Before busy periods, such as tax season, Steinhauer also suggested companies hold pre-season huddles. “I think there’s a great opportunity to kind of have a preseason huddle with…a short presentation from the security team,” he said, adding that such a meeting can involve presenting current threats and best practices to help employees stay vigilant. He noted that this initiative-taking approach ensures everyone is prepared for potential security issues, “especially for in-person organizations.”
Proactive involvement of company departments
Steinhauer encouraged departments like payroll, HR, and accounts payable to engage with security teams to raise concerns and ask questions that helps tailor training and protection efforts to the specific needs of each department. “I think security teams and groups love to see folks raising their hands and asking questions and being inquisitive,” he said.
He added that this collaboration ensures employees understand the importance of security measures.
Connecting end users with security teams
Building strong connections between end users and security teams is important. Steinhauer admitted that these groups sometimes operate in silos, but regular communication helps both sides understand each other’s challenges. End users gain a better understanding of security controls, while security teams learn about the daily operations and needs of employees.
“And I think that a lot of folks will find that having a good relationship with your security team, and for the security team to have a good relationship with the users, really helps foster that culture of security,” Steinhauer emphasized.
The role of AI in enhancing payroll data security
Advanced technology, including AI, can play a key role in enhancing payroll data security. Steinhauer explained that detection tools analyze user interactions to establish what constitutes normal activity and alert on abnormal behavior. For example, AI can identify unusual login patterns, such as a user logging in from various locations or at unusual times.
Also, AI can analyze metadata and content to detect suspicious activities. Steinhauer said this helps identify AI-generated or phishing content by looking for language that creates urgency or deviates from company norms. Secure email tools can additionally use AI to block known phishing messages automatically.
Additionally, AI can enhance traditional security measures, making them more efficient. Steinhauer said it helps in identifying and blocking malicious activities faster than legacy tools.
Importance of basic cybersecurity protections
Although AI offers more tools to help detect tax scams and protect sensitive business data, Steinhauer highlighted the need for broader implementation of basic cybersecurity protections. He said MFA is crucial, stressing that if everyone adopted MFA, it would significantly reduce cyber-attacks. According to a NCA study Steinhauer referenced, despite its effectiveness, about 36% of users still do not use MFA.
He also noted a recent report that indicated 41% to 51% of logins on monitored websites use compromised passwords. Users often reuse passwords across different sites, increasing the risk of breaches. Steinhauer believes that awareness and encouraging users to change compromised passwords can also help mitigate this issue.
He encouraged more discussions and nudges towards these practices to enhance overall cybersecurity. “So, if I could see more…talk about that and more nudging people to implement those two things, we would go a long way towards preventing a lot of breaches,” Steinhauer advised.
