A payroll service provider is working with federal investigators to uncover the cause of two security breaches that recently compromised the company's systems through phishing e-mails and phantom employees.
The breaches caused the provider to shut down its web service twice over the past several weeks.
PayChoice of Moorestown, N.J., which provides direct payroll processing services to 125,000 clients and licenses payroll software, said the security breaches occurred Sept. 23 and Oct. 14.
PayChoice said it appeared that clients were told in phishing e-mails, which contained partial user names and passwords, to download a browser plug-in to enable continued use of online accounts.
“We are deploying responsive measures recommended by industry-leading security experts,” PayChoice Chief Executive Officer Robert Digby said in a statement Nov. 1. “We have identified and prevented further use of the method used by the criminals to obtain user credentials.”
The company notified customers of its online portal for payroll service after three clients found that bogus employees had been added to payrolls. The breaches were first reported by washingtonpost.com.
After an investigation, PayChoice found that valid user credentials were used to add fictitious employees so that financial payments could be made to fraudulent bank accounts.
PayChoice has recommended industry best practices to its clients for secure payroll processing and has assisted many of them in setting up the procedures, Digby said.
Dealing with a payroll systems breach “really gets into disaster recovery territory,” said Bill Dunn, CPP, manager of government relations for American Payroll Association.
“In the case of a system or software crash, I would think the first thing to do would be to call in the company IT department. If that fails, calling the vendor for assistance sounds natural,” Dunn said in an e-mail to BNA on Nov. 5. “In the end, though, payroll professionals know that the nature of their work sometimes requires heroic and creative efforts to ensure employees get paid.”
If companies are notified that phantom employees were inserted into the payroll, one way of locating the breach is to require all employees to show proper identification before signing for a paycheck, Dunn said. Employees on direct deposit might be required to sign for pay stubs, he said.
“Employers offering electronic pay stubs might regularly run head counts and have their department managers verify their employees,” Dunn said.
In many cases, funds from a paycheck for a phantom employee are deposited into an actual employee's bank account, Dunn said. In that case, finding the phantom payroll would require having to “run a report on bank accounts and investigate any instances in which more than one employee's pay is being deposited into the same account,” he said.
The security of using an outside provider depends on several factors, said payroll consultant Fred A. Basehore Jr., CPP. Any firm that wants to outsource payroll should make sure a vendor is bonded so that if a breach occurs, a client can regain lost funds from the outsourcing company.
Some larger firms might not need to be bonded because they are self insured, but there should be language in the contract that sets out remedies in cases of a security breach, said Basehore, owner and principal of F.A. Basehore&Associates.
Another factor to consider when choosing software or an outsourcing firm is to ensure the terms of the contract are understood and that legal counsel has approved the contract language, Basehore said.
To date, none of the clients that PayChoice serves have lost money because of the security breaches, Digby said. Only the online users of the PayChoice website, onlineemployer.com, were affected. A number of clients use telephone, fax or other non-web-based input methods to process payroll, Digby said.
“This is an issue that companies have to be vigilant about. There is always somebody out there trying to breach your system,” said C. Leonard Jacobs Jr., project manager of tax operations for payroll at Intuit Corp.
If hackers can obtain inside information, companies can become vulnerable to attacks, Jacobs said. “We're in that age--not only this but the concept of identity theft--where all of this cycles into the same subject: what is your internal security process and how well you protect your data,” he said.