The Importance of Maintaining Confidentiality in International Payroll

Posted on 14 March 2023 by IRIS FMP

In a world rife with phishing scams, payroll data protection has never been more important. With new warnings arising every day, many American and international businesses are questioning how they can protect themselves against potential phishing scams and cybercriminals intent on data harvesting.

In 2022 alone, IBM reported that at least 83% of organizations had experienced more than one breach, with approximately 42 million records stolen and exposed. Combining these statistics with a fresh warning issued by the American IRS, it’s clear businesses across the world must consider how to protect valuable payroll and other data.

These sophisticated scams originally targeted HR and payroll departments directly to obtain confidential payroll information, private employee data and bank details. Subsequently, they have been used to commit various crimes, such as data and identity fraud. With phishing scams increasing by 61% since 2021, the next generation of these scams are proving even more cunning, working through other departments to gain ‘legitimacy’ before extracting confidential information.

What is payroll confidentiality?

Payroll confidentiality is vital for businesses. It establishes that only specified personnel can access a company’s payroll to complete a pay run. As this data is confidential, companies must have the means to protect it from exposure and falling into the wrong hands. That means employing appropriate considerations when handling data, especially with phishing scams rife in the world of business.

Many might think that payroll confidentiality stems from employees sharing their salaries, but there’s far more to it than that. In reality, it’s the least of a company’s worries. The practice of payroll confidentiality also encompasses how companies store and protect their data, and how they continue to safeguard it.

One threat that has plagued businesses since 1995 is the phishing scam. Standing the test of time for almost three decades, phishing scams have evolved alongside technology, becoming more sophisticated and smarter through the years. Where phishing scams are a persistent threat, it means payroll confidentiality and data safeguarding must remain the top priority for businesses.

How do phishing scams affect payroll?

Around 3.4 million phishing emails are sent every day, but it just takes one click to compromise someone. What’s more, many cyberattacks can go undetected, leading to a fresh batch of data that cybercriminals can continue to harvest. Companies, such as RSA Security, Upsher-Smith Laboratories and Ubiquity have all lost millions of dollars from phishing scams alone, compromising both customer and payroll-related data.

Why are phishing scams targeting payroll?

Businesses are an attractive target for cybercriminals as they offer a steady stream of customer and employee data, as well as access to financial information and funds. Many phishing scams often appear as emails from the CEO, Managing Director or other individuals in a company’s hierarchal structure. While they look innocent, they express a degree of urgency designed to trick the reader into clicking a link, attachment or parting with valuable data.

As phishing scams are sent directly to an employee’s mailbox, it doesn’t always look suspicious if an email has come through from someone senior. After all, employees might be in charge of financial data, in regular communication with the senior leadership team or simply trust the supposed sender. They may have no reason to suspect ill will. Unfortunately, 88% of all data breaches are caused by employees making this mistake.

people in an office discussing work

How can businesses keep their payroll data and employee information safe?

It’s not enough for businesses to try and ride out the storm of phishing attacks. As we’ve already seen over the years, they are becoming increasingly sophisticated with everyone a potential victim or target. Larger corporations might be attractive to some high-profile attackers, yet small and medium-sized enterprises could provide more opportunities for criminals, especially if attacks go undetected. That’s why all businesses must act.

1. Full backing by senior management

Data protection needs to start from the top and have the full backing of business owners, CEOs and Managing Directors. Phishing scams often take advantage of legitimate-appearing counterfeit requests from senior leadership, tricking staff into clicking email attachments or parting with financial records.

Of course, in normal day-to-day duties, these confidential information requests will occur. And that’s the challenge for employees, sorting out the legitimate from the fake. However, business leaders can set a precedent for employees, offering them real-life scenarios when these requests will be made and ensuring any confidential data is encrypted before it is shared.

2. Updated policies and procedures

Written procedures and guidance need to be put in place that provide triggers when any requests for sensitive confidential employee information are received. Senior managers should be comfortable and supportive of being challenged, emphasizing the importance of data security.

Similarly, international businesses must ensure policies and procedures reflect local laws and regulations. Some of the most complex payroll requirements come from member states that are part of the European Union, such as France, Italy and Belgium. Updated policies must offer compliance with strict data protection laws, with companies acknowledging the consequences of any data breaches they fail to protect against.

3. Enhanced staff awareness

Raising employee awareness is an absolute must, with regular reminders that drive home the necessity to seek the legitimacy of requests. Savvy US business leaders are also now adopting verification emails and second-person approval before critical internal information is disclosed.

Over the top? Maybe. However, the financial and reputational risks now associated with data theft require a new business norm that creates security of business information. With data protection laws coming into force, is it time to tighten up your act?

4. Outsourcing payroll requirements

Similar to storing data off-site, outsourcing your payroll could lessen the chances of employee data being stolen in a breach. Compliant payroll providers must process and handle a company’s data correctly, ensuring security and proactively safeguarding it. For international employers, this also guarantees compliance with local laws and regulations, such as GDPR requirements in the European Union or the Protection of Personal Information Act (POPIA) in South Africa.

multi-ethnic business people working on financial strategy,

What are the implications for businesses affected by a payroll data breach?

Cyber breaches always make the headlines, no matter where you operate in the world. Failing to protect against a cyberattack could prove costly, both in fines, legal action and reputational damage.


Violating cybersecurity and data protection laws is incredibly expensive. From HIPAA and GLBA in the US to GDPR in the EU and DSL in China, dependent on an organization’s operational sites, a company could be fined according to local and international laws. One company, Didi Global Inc., was fined $1.2 billion when it proceeded with operations in the US before a complete cybersecurity review of the product was completed. Similarly, the Irish Data Protection Commission (DPC) has imposed a fine on Meta for €1.2 billion for transferring the personal data of European users over to the US without decent data protection in place.

Legal action

As well as fines imposed by local and international governments, individuals, such as employers or consumers, have the right to claim compensation against an organization. Within the UK, citizens can claim up to £2,000 or more if their data has been affected by a breach. Claimants can make a case and president evidence that shows how their data has been breached.

For companies with hundreds of customers or employees on their books, this can easily build up. In the US, Equifax was subject to a major data breach caused by poor security processes. As such, they agreed on a compensation payout for customers in the States worth over $400 million. The impact on customers, employees and businesses can be staggering.

Reputational damage

According to Forbes, around 46% of companies that experienced a cybersecurity breach also noted severe reputational damage to their business and brand. There’s a stigma that follows businesses victimized by cybercrime and data breaches. Unfortunately, many consumers lose faith in the brand to deliver their services, turning towards competitors for the products they need. The same can be said for employees too, who feel they are unable to trust their employer with their personal details.

Despite the nature of the attack, whether it was infiltrated by a phishing attempt or sophisticatedly planned by a criminal, some will view a company as incompetent. Unfortunately, this idea of incompetence can easily spread, affecting public and private opinions of the company. These mindsets are generally hard to shake too, meaning businesses must do a lot of damage control to rebuild their reputation.

Looking to outsource your payroll and protect employee data?

If you want to take the next step and protect your employees’ data, we have the solution for you. At IRIS FMP, our international payroll service supports data entry and processing, while adhering to international compliance. We help you maintain confidentiality when it comes to your payroll requirements.