svp sales & marketing for inova payroll• svp sales & marketing for inova payroll • over...

@InovaPayroll

• SVP Sales & Marketing for Inova Payroll• Over 30-years industry experience• Focused on establishing long-term relationships

with clients; happy customers before, during and after the sale

• Favorite quote: Seek first to understand. Then to be understood. Stephen Covey

Melanie Crow, PHR, SHRM-CP

@InovaPayroll

Agenda• Sensitive Data• Sitting Target• Latest Scams• Best Practices• Resources• Questions

Sensitive Data

@InovaPayroll

Standard Payroll Data• Name• Address• Social Security number• Bank account numbers

@InovaPayroll

Other Data• Email address• IP address• Driver’s license• Passport information• Biometric data

@InovaPayroll

Data Laws• General Data Protection Regulation (GDPR)• California Consumer Privacy Act of 2018 (CCPA)• Oregon Consumer Information Protection Act• What’s next?

Sitting Target

@InovaPayroll

Who would want our data?• Computer geeks• Other businesses• Criminal rings• Spies and terrorists

@InovaPayroll

Data BreachesYear Company Records

2017 Equifax 143,000,000

2017 Uber 57,000,000

2018 USPS 60,000,000

2018 Orbitz 880,000

2018 Marriott 500,000,000

2018 Under Armour 150,000,000

2019 Quest Diagnostics 11,900,000

@InovaPayroll

Los Angeles Police Department• Data breach occurred July 25, 2019• 20,000 people, including job applicants and

employees• Names, birth dates, email addresses, passwords,

last four digits of SSN

@InovaPayroll

Closer to Home• May 2019• Tennessee-based contractor for U.S. Customs

and Border Protection• Photos of travelers and license plates• 100,000 people affected• Stolen data posted to the

dark web

@InovaPayroll

RansomwareYear Company Cost

2016 Hollywood Presbyterian Hospital $17,000

2017 Merck $670 million

2018 Atlanta $17 million

2019 Baltimore $18 million

2019 Syracuse City School District $50,000

2019 Several Louisiana school districts TBD

@InovaPayroll

Grim Statistics• Malicious cyber activity cost the U.S. economy

between $57 billion and $109 billion in 2016, Council of Economic Advisers, Executive Office of the President

• 47% of American adults have been victims of cyber attacks, U.S. Department of Homeland Security

Latest Scams

@InovaPayroll

Types of Attacks• W-2 phishing• Direct deposit diversion• Business identity theft

@InovaPayroll

W-2 Phishing• The scammer sends an email to someone on the

payroll team.• The email looks like it came from a company

executive.• The email requests a list of all W-2s and typically

indicates some urgency.• The scammer bets on targeting an employee who is

not aware of the signs of a scam and sends the sensitive information.

• The scammer can then file false tax returns to steal refunds or can open credit accounts and charge thousands of dollars to those accounts.

@InovaPayroll

W-2 Phishing

@InovaPayroll

W-2 Phishing

@InovaPayroll

Direct Deposit Diversion I• The scammer sends an email to someone on the

payroll team.• The email looks like it came from an employee.• The email requests a change in direct deposit

account.• The payroll pro, being super busy, misses the red flags

and updates the DD account in the payroll system.• On payday, you have an unhappy employee…and a

very happy thief!

@InovaPayroll

Direct Deposit Diversion IFrom: [REMOVED]Sent: Monday, December 10, 2018 [REMOVED]To: [REMOVED]Subject: (no subject)

Hello [REMOVED],

I changed my bank and I will like my paycheck DD details changed. Do you think this change be effective for the next pay date?

[REMOVED]

Sent from my iPhone

@InovaPayroll

Direct Deposit Diversion II• The scammer sends an email to any employee.• The employee clicks a link in the email and their

computer becomes infected with malware.• The malware tracks the employee’s keystrokes and

secures their ESS login credentials.• The thief then changes the direct deposit information

directly within ESS.• Note that this can happen to a payroll admin as well,

and in that case all employee DD info is at risk.

@InovaPayroll

Business Identity Theft• Criminal impersonates a business owner• Uses publicly available business information• Sets up payroll with a provider using the company

or business owner’s credit• Processes payroll and money is deposited into

fraudulent accounts• Thief takes the money and runs

@InovaPayroll

It Takes a Village• We see these scam attempts frequently• Network of payroll providers exchange

information on scams and scammers• Communications from your payroll vendor• Communications to employees

Best Practices

@InovaPayroll

Basic Protections• Antivirus• Firewalls• Encryption• VPN• Patching as soon as a vulnerability is

announced• Regular system backups kept offsite

@InovaPayroll

Emails• Look at the sender’s name and email address. Often

there will be inconsistencies. But don’t stop there if you believe it matches an executive’s information.

• Pick up the phone and call the executive or employee making the request.

• Use the phone number listed in your company directory and not any phone number included in the email.

• Verify the request verbally before releasing or changing any sensitive information.

• Notify your head of payroll or HR as a precaution.• Share these tips with everyone in the company who

has access to employee data.

@InovaPayroll

Which password is stronger?• Kronos.1• P@ssw0rd123• mYfc15_af0Rd• qwerty123

@InovaPayroll

Passwords• Do not use the same password for any two

accounts – ever!• Length = 16• Mix of upper case, lower case, numbers, symbols• Change passwords regularly• Use a password keeper, not an Excel file• Don’t write passwords down

@InovaPayroll

Education• Ongoing• For all staff• For all new hires• Updates on new schemes• Testing and coaching

@InovaPayroll

Payroll System Security• Limit payroll system access to only those who

need it• Ensure more than one person handles payroll and

that one individual takes on an audit role• Set up alerts for sharp increases in employee pay• Review all new employees added to payroll

@InovaPayroll

Takeaways• You are being targeted• Data protection is a daily battle• Know the latest scams• Keep up with your data regulations in all states in

which you have employees• Educate yourself and your employees

Resources

@InovaPayroll

Stay Alert• FBI Cyber crime page

https://www.fbi.gov/investigate/cyber• IRS phishing scams web page:

https://www.irs.gov/privacy-disclosure/report-phishing

• FTC data security web page https://www.ftc.gov/tips-advice/business-center/privacy-and-security/data-security

• FTC Data Breach Response Guide https://www.ftc.gov/tips-advice/business-center/guidance/data-breach-response-guide-business

@InovaPayroll

Stay Alert

https://info.inovapayroll.com/cybersecurity-webinar

Questions

@InovaPayroll

ContactMelanie Crow

mcrow@inovapayroll.com(615) 921-0604