Stop! Are you challenging requests for confidential payroll information?

14th March 2017

New warning from America raises questions about how businesses protect themselves from Phishing scams.

I’ve already reported extensively on payroll data protection, payroll fraud and the rise of phishing scams, and my 2017 Top Ten Payroll predictions specifically included data theft.

However, with the American IRS issuing a further new urgent warning about the next generation phishing scams, businesses in the UK need to consider how to protect valuable payroll and other data. Data hacking has been replaced with people hacking.

These sophisticated scams originally targeted HR and payroll departments directly to obtain confidential payroll information, employee and bank details, used subsequently to commit various crimes. But the next generation of scams are even more cunning, working through other departments to gain ‘legitimacy’ before extracting confidential information.

How can a business protect itself from theft of confidential employee information?

It needs to start from the top and have the full backing of owners and directors, as these phishing scams often take advantage of legitimate-appearing counterfeit requests from a manager or executive. Of course, in normal day-to-day duties these confidential information requests will occur. And that’s the challenge for employees, sorting out the legitimate from the fake.

Written procedures and guidance need to be put in place that provide triggers when any requests for sensitive confidential employee information are received, or other sensitive business data, and senior managers should be comfortable and supporting in being challenged.

Raising employee awareness is an absolute must, with regular reminders that drive home the necessity to seek legitimacy of requests. Savvy US business leaders are also now adopting verification emails and second person approval before critical internal information is disclosed.

Over the top? Maybe. But the financial and reputational risks now associated with data theft require a new business norm that creates security of business information. With new data protection laws coming into force across Europe in 2017 is it time to tighten up your act?