How to Defend Against Payroll and Email Fraud

By: Catherine Breen

Whether or not it’s on your radar, your business could be at risk of payroll fraud through your email account.

I recently had an interesting conversation with a business owner who was a victim of a sophisticated payroll fraud. Fraudsters hacked his Outlook email online and created a rule to forward all payroll documents to the fraudsters’ email address. Then they submitted a fraudulent payroll report to the business’s payroll processing company.

The payroll company recognized that the payroll was unusual and emailed the business owner. But unfortunately, they were corresponding with the fraudsters, who confirmed the fake payroll. The payroll company never directly called the business owner or his general manager before issuing the fraudulent paychecks, totaling $15,500. The fraud was discovered during the monthly bank reconciliation.

How can you avoid this type of attack? Let’s take a look at the difference between a fraudulent and legitimate payroll document, and what you can do to protect your business.

Fraudulent Payroll Document Red Flags

payroll fraud figure 1

Figure 1: Fraudulent payroll document

The fraudulent payroll document above was a sophisticated forgery, but it had red flags that alerted the payroll company (unfortunately, not enough to call the business owner). The fraudsters clearly had been monitoring the owner’s email for long enough to see at least one legitimate payroll document.

The employee IDs were exactly sequential to the real employees and the voucher numbers were close enough to the existing sequence that they could pass, although a close review should have caught the gap.

These were the red flags for the fraudulent payroll document:

  1. There were no withholdings.
  2. The recipients were not and had never been employees of the company.
  3. The individuals were listed in the staff category, but no pay rate was listed.
  4. The pay for the fraudsters was higher than the business owner and general manager’s bi-weekly salaries.
  5. The pay period and check dates did not match the business’s payroll schedule or pay dates.
  6. There was a gap between the last legitimate payroll voucher—3278 versus 3284 for the fraudulent voucher.

For comparison, the legitimate payroll documents list the rate for all employees, including the salaried officer. The regular pay employees show the hours worked and all have withholdings. See Figure 2 below for a page from the company’s legitimate payroll.

payroll fraud figure 2

Figure 2: Legitimate payroll document

How Can You Protect Your Business?

While a sophisticated fraud like this can be difficult to prevent, the following factors can make it easier for your business to detect an intrusion before a loss is incurred.

Enable Multi-Factor Authentication (MFA)

Use MFA for all email accounts that receive communications related to your business. Although the business owner I spoke with did not access his Outlook email remotely, if MFA had been enabled, he could’ve been alerted when the fraudsters tried to access his email and block them from further access.

Set Strong Passwords

Make sure you are using different sophisticated passwords for your accounts. It can be hard to manage multiple passwords for different websites and applications. Using a password management service is a secure way to house and audit your passwords.

Keep Up With Remote Access

Be aware of alternate methods of accessing your business communications. In this case, the owner wasn’t aware that his Outlook email could be accessed remotely because he only used it on his onsite business computer.

Monitor Email “Rules” Set

Check the rules for your email account periodically to verify that all rules are ones that you intentionally set. There are even automated alerts you can set up for your entire email service and all mailboxes.

Track Correspondences Regarding Sensitive Information

Be mindful of documents and confirmations that should be received from companies that can access your business’s bank accounts. If expected confirmations for transactions do not come promptly and they are not in spam folders, investigate and call the company.

Check Bank Reconciliations

Timely, monthly bank reconciliations provide quick alerts to unexpected and unusual transactions.

Update Software and Devices

Run all security, application and system updates promptly to ensure your business has the latest security patches from the developers.

Change the Channel

Set up policies for both internal users and your trusted vendors that force any change involving financial updates to trigger a phone call to a known contact. This simple step can save your company, vendors and clients valuable time and helps avoid fraud.

Reboot Your Devices

Periodically reboot cell phones, laptops and computers. Many spyware applications require remote activation, so rebooting your device will deactivate, and in some cases, outright uninstall spyware.

So, What Happened to the Business Owner?

The owner reported the fraud to the police. However, the police said they couldn’t do anything because the fraudsters were out of the local jurisdiction. The somewhat happy ending is that the owner’s bank reimbursed him for the payroll loss. But you may not be as fortunate—be diligent and keep an eagle-eye on your email and payroll processes for any irregularities and vulnerabilities.

Need Help?

If your business has experienced a loss from fraud, our Forensic, Valuation & Litigation (FVLS) practice can help you assess the financial impact. Our Technology Solutions Group includes a team of cyber security experts who are happy to meet with you for a cyber security risk assessment of your organization’s IT infrastructure. Or, you can contact us online or call 410.685.5512 with any questions.


Published April 3, 2023

Cyber Security Wake-Up Call: What’s Putting Your Organization at Risk?

Learn how to lessen your exposure to cyber threats in this free webinar recording.

Cyber Security Wake-Up Call Screen Play

Small Businesses — Be On the Lookout for These Cyber Threats

If you think you’re immune to cyberattacks as a smaller-sized business, you’re wrong. Attackers don’t just pass small...

Threats and Vulnerabilities to Monitor This Cyber Security Awareness Month

Have you ever received an email from an unfamiliar source and wondered, “How did they know that information?” or “How...