Organizations face a variety of fraud risks, compliance mishaps, and cyber-attacks from all vectors. Payroll fraud is a major one that often gets overlooked but remains a salient threat to small and medium-sized businesses.
According to Thomson Reuters, the Association of Certified Fraud Examiners (ACFE) found that payroll fraud schemes comprise 15% of all occupational fraud schemes in the U.S. and Canada. ACFE’s report revealed that the construction industry, government, and public administration were the most vulnerable to payroll fraud schemes, but absolutely no industry is immune, no matter the size of the entity.
Bad actors go after large institutions because of the sheer volume of valuable information they hold, and they equally target small organizations that simply do not have the IT and cybersecurity budgets of large organizations. ACFE found that the average payroll fraud ensues for 18 months before detection, averaging a $2,800 loss per month or $50,400 total.
That’s an expensive inconvenience for a very large company, but it can be utterly devastating to a small or medium-sized business. Decision-makers need to be aware of their options for payroll security solutions. In addition to traditional password and multi-factor authentication protection, new layers of security like biometric authentication and blockchain are paving the way to improving fraud detection in payroll. Here’s how.
Understanding Payroll Fraud
Payroll fraud schemes are always evolving and can take many different forms. ACFE identified the following common types and some notable news stories:
Internal
Ghost Employees: While an external actor like a corrupt payroll provider can create a ghost employee, the perpetrator is virtually always a manager or disgruntled senior employee who has access to the payroll system and the authority to create an employee file. They create a fake employee that receives paychecks. A Wendy’s manager in Pennsylvania made the news for this by meticulously clocking a ghost employee in and out for 128 shifts in 22 pay periods, for gross pay of nearly $20,000 before she was caught.
Overpayment Schemes: Pay rate inflation, overtime fraud, and fake commissions and bonuses are the most common ways that employees flagrantly overpay themselves when they were not authorized to do so. Timesheet inflation by rank-and-file employees also occurs, but ACFE found that upper management and executives were responsible for the largest payroll fraud occurrences.
Expense Reimbursement Fraud: Employees who find overpayment schemes too obvious often opt to pad expense reports. Submitting the same expense report multiple times can be a good-faith error. But if it occurs regularly, it can be a sign of fraud. Over-inflated expenses and fictitious expenses with no proof or substance also constitute expense reimbursement fraud. A bookkeeper in a New Orleans law firm embezzled over $2.5 million over six years by submitting exorbitant expense reports and getting reimbursements that resulted in 143 payroll transfers that she used to buy eight cars.
External
Withholding Embezzlement: Third parties with ties to the organization, like insurers, professional services, and financial institutions, will steal employees’ payroll deductions intended for other uses like 401(k) contributions, taxes, and child support garnishments. Not only can this have a disastrous impact on employees’ lives and finances, potentially triggering lawsuits against their employers, but employers may also be in violation of wage and fringe benefit laws even though they did not intend this to happen.
Payroll Diversion: A cybercriminal will pose as an employee with phishing emails or compromise a real employee’s legitimate organizational email account. After this successful infiltration, they request changes to their payroll account. Usually, just their bank details so they can siphon the employee’s pay to their own account. Since a majority of employees definitely notice when their paychecks don’t show up, this can leave employers liable for not paying their employees on time and having to front an additional paycheck while the fraud is investigated.
Biometric Authentication
Biometric authentication uses fingerprints or facial recognition to verify an employee’s identity. This helps mitigate the risks of timesheet theft, overtime fraud, and managers creating ghost employees.
Biometric authentication eliminates onerous clock-in and clock-out procedures by having the employee simply press their finger on the pad or align their face with the scanner. These systems ensure that employees are who they say they are and reduce the likelihood of timesheet fraud.
While they can’t fully mitigate the risks of external bad actors, they can prevent unauthorized access from external users that should not be in the payroll system. If implemented as an additional layer of security in specific areas, like the payroll office, biometric systems can also track if employees attempt to access these areas after business hours.
Blockchain Technology in Payroll
Blockchain was originally designed as the framework for cryptocurrency, which gave it a stigma in several corners of the business world. However, blockchain technology, decoupled from cryptocurrency, is now being recognized for its potential in other applications like the HR space.
SHRM touts blockchain’s fraud prevention benefits by its ability to make payroll processing faster and more transparent. The ability to execute payroll transactions quickly, with fewer errors, and in real-time with enhanced security also fosters more trust among employees and management.
Accurate logging of hours worked, pay rates, and tax rates on blockchain simplifies the verification and execution of payroll transactions while personal information like addresses and bank details is kept separate and secure.
AI and Machine Learning in Payroll Fraud Detection
ACFE reported that 83% of the organizations they studied plan on implementing AI solutions within the next two years to combat payroll fraud and abuse.
AI and machine learning are currently being deployed to detect anomalies, flag transactions that were entered multiple times, and report suspicious activity. Machine learning, as the name implies, specifically uses the organization’s payroll and financial records to recognize patterns and determine what a human may have missed.
Best Practices for Payroll Security
- Have a cybersecurity professional train employees at least once a year in threat detection and what they can do if a breach occurs.
- Warn employees to never share login details or personal information over email, and to forward suspicious-looking emails to IT or the appropriate department.
- Create separate login credentials for payroll that are disconnected from employees’ other organizational accounts.
- Implement two-factor or multi-factor authentication in payroll systems and any other highly sensitive areas.
- If an employee submits a request to change their bank details through any digital means, verify with the employee that they authorized the change.
Small and medium-sized businesses need to be one step ahead when it comes to payroll security. Taking a proactive and preventative approach will save your organization hundreds of thousands of dollars in costly disruptions, lawsuits, investigations, and insurance hikes.
Protect your business with ASAP Payroll’s cutting-edge security solutions. Contact us today to learn how we can help secure your payroll processes!
