@InovaPayroll
• SVP Sales & Marketing for Inova Payroll• Over 30-years industry experience• Focused on establishing long-term relationships
with clients; happy customers before, during and after the sale
• Favorite quote: Seek first to understand. Then to be understood. Stephen Covey
Melanie Crow, PHR, SHRM-CP
@InovaPayroll
Agenda• Sensitive Data• Sitting Target• Latest Scams• Best Practices• Resources• Questions
Sensitive Data
@InovaPayroll
Standard Payroll Data• Name• Address• Social Security number• Bank account numbers
@InovaPayroll
Other Data• Email address• IP address• Driver’s license• Passport information• Biometric data
@InovaPayroll
Data Laws• General Data Protection Regulation (GDPR)• California Consumer Privacy Act of 2018 (CCPA)• Oregon Consumer Information Protection Act• What’s next?
Sitting Target
@InovaPayroll
Who would want our data?• Computer geeks• Other businesses• Criminal rings• Spies and terrorists
@InovaPayroll
Data BreachesYear Company Records
2017 Equifax 143,000,000
2017 Uber 57,000,000
2018 USPS 60,000,000
2018 Orbitz 880,000
2018 Marriott 500,000,000
2018 Under Armour 150,000,000
2019 Quest Diagnostics 11,900,000
@InovaPayroll
Los Angeles Police Department• Data breach occurred July 25, 2019• 20,000 people, including job applicants and
employees• Names, birth dates, email addresses, passwords,
last four digits of SSN
@InovaPayroll
Closer to Home• May 2019• Tennessee-based contractor for U.S. Customs
and Border Protection• Photos of travelers and license plates• 100,000 people affected• Stolen data posted to the
dark web
@InovaPayroll
RansomwareYear Company Cost
2016 Hollywood Presbyterian Hospital $17,000
2017 Merck $670 million
2018 Atlanta $17 million
2019 Baltimore $18 million
2019 Syracuse City School District $50,000
2019 Several Louisiana school districts TBD
@InovaPayroll
Grim Statistics• Malicious cyber activity cost the U.S. economy
between $57 billion and $109 billion in 2016, Council of Economic Advisers, Executive Office of the President
• 47% of American adults have been victims of cyber attacks, U.S. Department of Homeland Security
Latest Scams
@InovaPayroll
Types of Attacks• W-2 phishing• Direct deposit diversion• Business identity theft
@InovaPayroll
W-2 Phishing• The scammer sends an email to someone on the
payroll team.• The email looks like it came from a company
executive.• The email requests a list of all W-2s and typically
indicates some urgency.• The scammer bets on targeting an employee who is
not aware of the signs of a scam and sends the sensitive information.
• The scammer can then file false tax returns to steal refunds or can open credit accounts and charge thousands of dollars to those accounts.
@InovaPayroll
W-2 Phishing
@InovaPayroll
W-2 Phishing
@InovaPayroll
Direct Deposit Diversion I• The scammer sends an email to someone on the
payroll team.• The email looks like it came from an employee.• The email requests a change in direct deposit
account.• The payroll pro, being super busy, misses the red flags
and updates the DD account in the payroll system.• On payday, you have an unhappy employee…and a
very happy thief!
@InovaPayroll
Direct Deposit Diversion IFrom: [REMOVED]Sent: Monday, December 10, 2018 [REMOVED]To: [REMOVED]Subject: (no subject)
Hello [REMOVED],
I changed my bank and I will like my paycheck DD details changed. Do you think this change be effective for the next pay date?
[REMOVED]
Sent from my iPhone
@InovaPayroll
Direct Deposit Diversion II• The scammer sends an email to any employee.• The employee clicks a link in the email and their
computer becomes infected with malware.• The malware tracks the employee’s keystrokes and
secures their ESS login credentials.• The thief then changes the direct deposit information
directly within ESS.• Note that this can happen to a payroll admin as well,
and in that case all employee DD info is at risk.
@InovaPayroll
Business Identity Theft• Criminal impersonates a business owner• Uses publicly available business information• Sets up payroll with a provider using the company
or business owner’s credit• Processes payroll and money is deposited into
fraudulent accounts• Thief takes the money and runs
@InovaPayroll
It Takes a Village• We see these scam attempts frequently• Network of payroll providers exchange
information on scams and scammers• Communications from your payroll vendor• Communications to employees
Best Practices
@InovaPayroll
Basic Protections• Antivirus• Firewalls• Encryption• VPN• Patching as soon as a vulnerability is
announced• Regular system backups kept offsite
@InovaPayroll
Emails• Look at the sender’s name and email address. Often
there will be inconsistencies. But don’t stop there if you believe it matches an executive’s information.
• Pick up the phone and call the executive or employee making the request.
• Use the phone number listed in your company directory and not any phone number included in the email.
• Verify the request verbally before releasing or changing any sensitive information.
• Notify your head of payroll or HR as a precaution.• Share these tips with everyone in the company who
has access to employee data.
@InovaPayroll
Which password is stronger?• Kronos.1• P@ssw0rd123• mYfc15_af0Rd• qwerty123
@InovaPayroll
Passwords• Do not use the same password for any two
accounts – ever!• Length = 16• Mix of upper case, lower case, numbers, symbols• Change passwords regularly• Use a password keeper, not an Excel file• Don’t write passwords down
@InovaPayroll
Education• Ongoing• For all staff• For all new hires• Updates on new schemes• Testing and coaching
@InovaPayroll
Payroll System Security• Limit payroll system access to only those who
need it• Ensure more than one person handles payroll and
that one individual takes on an audit role• Set up alerts for sharp increases in employee pay• Review all new employees added to payroll
@InovaPayroll
Takeaways• You are being targeted• Data protection is a daily battle• Know the latest scams• Keep up with your data regulations in all states in
which you have employees• Educate yourself and your employees
Resources
@InovaPayroll
Stay Alert• FBI Cyber crime page
https://www.fbi.gov/investigate/cyber• IRS phishing scams web page:
https://www.irs.gov/privacy-disclosure/report-phishing
• FTC data security web page https://www.ftc.gov/tips-advice/business-center/privacy-and-security/data-security
• FTC Data Breach Response Guide https://www.ftc.gov/tips-advice/business-center/guidance/data-breach-response-guide-business
@InovaPayroll
Stay Alert
https://info.inovapayroll.com/cybersecurity-webinar
Questions