Skip to content

Strengthen internal payroll security to keep data safe

Christopher Wood, CPP  

Deborah Tam, CPP  

· 8 minute read

Christopher Wood, CPP  

Deborah Tam, CPP  

· 8 minute read

Everyone knows that data theft attempts are on the rise, and attacks on tax and accounting firms have also increased, but did you know that your internal employee and client payroll security may also be at risk?

Payroll security is an often overlooked, yet critical concern, for firms that provide payroll services.


A history of data breaches

According to the podcast, Checkpoint Presents: Payroll on Point, a podcast from Thomson Reuters, there has been a major history of data threats over the years, and the bad guys keep getting smarter. Part of the purpose of the Taxpayer First Act that was signed July 1, 2019 was to combat identity theft and create procedures for notifying taxpayers of suspicious activity.

There have been stories in the news recently about several successful data breaches within government agencies tied to payroll security issues. Currently, two federal lawsuits are being filed by employees to unions, from a 2014 data breach. That breach included birth dates, social security numbers, and even fingerprint records, of both former, current, and prospective government workers and hackers got their hands on most of that personal data.

In this particular case, it wasn’t that the government itself that was hacked, but rather a third-party vendor who conducted background investigations on behalf of the government. Often hackers can break into third party vendors by stealing credentials if the payroll security is not up to par.

One would think that the Department of Defense would be able to manage their payroll security well, but in October of 2018 even the Pentagon announced that its travel record system was breached, and the data of 30,000 employees and contractors was compromised. Again, this data was stored in a system maintained by a third-party vendor. Even our government agencies are vulnerable to data breaches.

In 2016, the IRS itself suffered a massive data breach where more than 700,000 social security numbers and other sensitive information that was W-2 or payroll related was stolen.

In 2017, the IRS commissioner testified before the Senate Finance Committee that another breach in the IRS data retrieval tool allowed hackers to gain access to the personal information of some 100,000 students who use the tool to fill out the free application for Federal Student Aid. These identity thieves used this information to submit fraudulent tax returns and were able to steal an estimated $30 million from the US government. That is a windfall for hackers. These kinds of scams are happening more frequently because thieves see W-2s as a commodity. The going rate of W-2 information and 1040s ranges between a dollar to $52 on the dark web.

Employers, businesses, and the government always have to be on alert because it’s clearly very profitable for hackers to steal W-2 information. All of these payroll providers have that W-2 information such as employee names, social security numbers, date of births, even banking information because of direct deposit, so there are an increasing number of attacks on HR departments. According to a 2018 Verizon Data Breach Report, there’s been an 83% increase in attempts to steal that personal information.

According to the podcast, 1 out of 10 URLs are maliciously sent in the US via email, and 1 in 674 emails are maliciously sent to smaller organizations with fewer than 250 employees, making it quite possible that an employee or client might at some point find themselves face to face with a potential phishing email scam.

Employee vigilance is necessary in the ongoing efforts to secure payroll information in your accounting firms and also within any client’s system to whom your firm might provide payroll services. Several ways to audit your payroll security level to manage the growing threats are discussed in The Tech Times article, Is Payroll the Weak Link in Your Organization’s Cybersecurity Network?. Top-tier network security and innovative IT systems must work together to ensure organizational stability and security. Discover how you can increase your internal payroll security and keep all your data safe by implementing solutions that cover any weak links.

6 ways to combat data breaches

Because internal data breaches are so frequent, it’s important to educate employees and implement measures to avoid risks to your payroll security. With so many generations of potential threats to client and internal payroll data, how do you stay ahead of the scams? The IRS is constantly releasing information to taxpayers to keep them on guard, and they issued a press release based on their third Summer Security Summit. The Security Summit, in partnership with the IRS and state tax agencies and tax professionals, have put together a checklist which highlights six security measures to deploy to avoid identity theft scams.

The six measures are:

  • Activate anti-virus software
  • Use a firewall, opt for two-factor authentication when it’s when it’s offered.
  • Implement two-factor authentication.
  • Use backup software and services
  • Utilize drive encryption
  • Create a secure virtual private networks (VPN)

The IRS also reminds people to not get caught by email fatigue. If you are receiving many emails and you’re having a busy day, you may get an email that looks like it’s from a supervisor or manager or the CEO that says they want this W-2 information. Hopefully you take the time to verify the email address and ensure it’s not a scam. But if you’re having a busy day, it’s possible you just send that out without thinking, and that’s all the hackers need.

Implement payroll security best practices to avoid risk

Many companies, large and small farm out their payroll services to a third party, but is their payroll security in place? It’s important to have tight security around your payroll. Third party vendors are often at the highest risk, but even internal employees that manage their own payroll are vulnerable. Untrained employees need to know how to recognize malicious threats.

As reported in the podcast, according to the 2019 Cybersecurity Pulse Report where they surveyed cybersecurity companies to ask, “Where do you see the highest risk coming from?” And 87% of these firms replied, “The greatest threat lies with untrained general staff.”

Firms need to take the time to train employees about what the best practices are for securing their computers, making sure that they check their emails carefully, and also talk to them about limiting other people’s ability to access their computer and the systems.

Here are some ways to avoid getting hit with W-2 hackers:

  • Audit your firm’s current technology system health
  • Offer proactive management, and stay vigilant against attacks
  • Utilize the latest in security measures
  • Avoid email fatigue and other internal mishaps

It’s a valuable investment for any employer, business, or government agency to make sure the employees are properly trained and also to know what to do if and when a data breach occurs.

The average time that it takes to identify a data breach according to a 2018 data breach study by Ponemon Institute, is 197 days. When attacks occur, it takes approximately 69 days to contain the data breach. The longer it takes, the more money it can cost firms to fix and restructure their payroll security. These breaches cost businesses every time they occur in a big way. The average costs of a data breach is almost $5 million. And for a very large company, it can be over $10 million.

Hacking can occur by employee error, and that doesn’t mean it’s necessarily the employee’s fault, but it’s important to train employees both internally as well as on the client side, to be able to recognize that some form of communication might have been malicious, like an email.

Provide fast, secure and easy payroll services

Clients want fast, secure and easy payroll services, that’s why they often choose to hire an outside company to manage their payroll.  Having the right tools is important to avoid any threats to payroll security.

Think of what’s on a W-2, it’s got a name, an address, a social security number, and now you even hackers even how much that person makes. That information makes HR and payroll departments vulnerable, so it’s imperative to stay vigilant to keep that data secure. Along with internal education, utilizing the best in payroll security can assist in avoiding any risks. You’re on the hook no matter the circumstances, so it’s important to go with payroll solutions you can trust that have the added security needed to keep your internal and client data safe into the digital age. Protect your firm from payroll risk.


Listen to the Payroll on Point podcast here or on iTunes or Google.



Flexible payroll solutions that are as unique as your firm

Increase profits, strengthen existing client relationships, and attract new clients with our trusted payroll solutions that accommodate in-house, outsourced, or hybrid models.

Or, shop for payroll information solutions designed to help you find trusted answers quickly on our store.

More answers