Everything You Need To Know About Payroll Diversion

Everything You Need To Know About Payroll Diversion

Brooke Auld

Cyber crimes are on the rise, and a new crime is on our radar: payroll diversion.

What is Payroll Diversion and how is it done?

Payroll diversion can come in different forms, but the euphemistic name describes a harmful practice: cybercriminals divert employee pay cheques paid by direct deposit to an account controlled by the cybercriminals, instead of the employee’s designated bank account.

One way cybercriminals divert employee wages is by posing as an employee over email.  The cybercriminals will either hack into the employee’s email account or create a new email address resembling the real one, and send a request to human resources or the payroll provider requesting a change to the direct deposit information on file. Once the change is made by HR or the payroll provider, the employee’s next pay cheque will be deposited to a bank account that is controlled by the cybercriminals.

Another common method used by cybercriminals is hacking into an employee’s online payroll account (changing the employee’s password and restricting their access) and making the change to the direct deposit information directly.

How is payroll diversion usually discovered?

Most employees who fall victim to payroll diversion will notice immediately when they do not see their regular deposit in their account on payday. While this means the impact on an individual employee could be limited to one single instance of payroll diversion, if cyber criminals have identified a vulnerability across an entire organization and all employees, the potential impact could be catastrophic for the employees and the organization. We also know that sometimes cybercriminals can engage in months of monitoring their intended target hoping for information about a large commission or bonus payout and only requesting to change the payroll information to intercept that big payout.

How are wages recovered, and who is on the hook to pay?

The short answer is “It depends.”

Regardless of the situation, instances of payroll diversion result in a lot of administrative and behind-the-scenes work for the employer and the employee. The police, payroll company and banks involved will need to be notified as well as their and the employer’s IT departments. Each will want to conduct an audit or investigation about what happened and who was to blame to limit their liability to (re-)pay.

While the police or banks involved may be able to recover the wages, it all depends on the specific circumstances, and it may take some time to make a determination.

Employers must also remember that in Ontario a failure to pay an employee their earned wages is a violation of the Employment Standards Act, 2000 (“ESA”). It is likely that the employer will be required to pay the employee the missing wages and seek to be reimbursed by either one of the banks involved or the payroll company. Similarly, the ESA sets out very specific instances wherein deductions from wages can be made. Before taking any steps to require payment to or from an employee, deduct from an employee’s wages, or otherwise point the finger, advice from an employment lawyer should be sought.

Steps Employers should take to limit exposure to payroll diversion

Fortunately for employers and employees, payroll diversion is a preventable cyber scam if all parties are properly trained on what to look for and if the right policies are in place to safeguard the organization and employees. The following are some tips to prevent and limit exposure to payroll diversion.

  • Review legislative requirements and best practices:  The ESA has requirements about how wages are paid and the information required in order to do so. For example, if an employer is paying employee wages via direct deposit, the ESA states that the account must be an account chosen by the employee that (a) must be in the employee’s name and (b) only accessible by that employee or a person they have authorized. This requirement adds a level of protection as employers should be confirming that the bank account used by the employee is in fact in their name.

  • Secure online accounts:  Employers should ensure that they have clear policies in place that require employees to regularly change their passwords to all online accounts (company server, company email, company payroll account) and that such passwords are “strong.” Employers should require multi-factor authentication for all accounts, either through the use of a one-time code, or an authenticator app.

  • Restrict employee payroll access: If employees can change their direct deposit information on their own through their payroll account (i.e. without any verification by the employer or payroll company), employers should contact their payroll provider to disable this immediately and discuss appropriate safeguards that can be implemented.

  • Verify all requests to change direct deposit account information: With the above in mind, employers should put policies in place that require all requests for changes to direct deposit information to be verified. For example, we know many cybercriminals will make fraudulent requests via email. HR or payroll employees should always verify requests for payroll changes in-person or by calling the employee. While requiring a void cheque is also important, HR and payroll professionals should exercise caution when using this as the sole verification method as such documents can be easily downloaded and manipulated online.

  • Train employees on how to recognize and report scam emails and other suspicious conduct: Employees should be trained to scrutinize any emails or requests relating to direct deposit changes or any other money-related requests. Many scammers choose email addresses that look like the real email address (one letter missing, an underscore or another symbol). Employees should also know that “urgent” requests related to payroll changes are usually a red flag, and that any notifications received about unauthorized password changes should be taken seriously and reported to the employer immediately.

Employers and employees must remember that limiting exposure to payroll diversion is a team effort, with both parties having an important role to play.  While some of this information may seem obvious, payroll diversion is on the rise, and with some effort, it can be avoided entirely.

It’s a Bird, It’s a Plane, It’s a … Dependent Contractor

It’s a Bird, It’s a Plane, It’s a … Dependent Contractor
So You Think You Know Employment Law? The Truth Behind Some of the Most Common Misconceptions on Employment Standards and Practices

So You Think You Know Employment Law? The Truth Behind Some of the Most Common Misconceptions on Employment Standards and Practices

Related Posts