Payroll Admins: Cyber Security and the Trust Factor

Social engineering is the term used for scams that prey on human vulnerabilities. People within ministry that have access to employees’ personal data and organizational financial controls are considered high-value, vulnerable targets to social engineers.

The goals of scammers are changing, and their schemes are harder to detect. In fact, today’s scammers aren’t trying to get you to send them money—their aim is to gain access to ministry accounts, email addresses, and personal information that can be sold. Your goal as a payroll administrator: recognize their tricks to protect the ministry and avoid becoming a victim.

The danger of “yes”

Social engineers craft a good story. Caleb Sloan, operations manager for MinistryWorks, said the goal is to get you to say “yes” before you think. “Social engineers exploit ministry payroll administrators and HR professionals who are eager to do a good job and hardwired to trust,” he said. “They use your trust against you.” 

When securing payroll systems, there’s so much more at stake. Click on a malware link, and it unleashes a domino effect that can result in employee personal information being stolen, and ministry accounts and finances being compromised. Malware also can sift through sensitive information, destroy data, steal passwords, and record your every keystroke. 

Red flag warnings

Successful techniques target known trust signals to infiltrate your organization. They use easy-to-obtain information—like the names of your pastor’s family members—from social media or your website to appear trustworthy.

Sloan said that “urgent request” communications from someone posing as a trusted source in your organization usually ask you to do something right away. “Most payroll administrators likely would be suspicious of highly unusual requests, such as a demand to wire thousands of dollars to an unfamiliar bank,” he said. 

But other requests—like when an employee needs to change bank account information—are reasonable and in line with what a payroll processor may encounter. Social engineers know that if a request seems common, it likely will not raise a red flag. 

Here’s a few examples of scams that use social engineering to mimic a trust signal to catch a payroll administrator off-guard:

• An email that mimics a person of authority in your organization requesting all employees’ W-2s for an end-of-year review.
• A banking change request from an email address that looks nearly identical to a trusted source, like your pastor. Example: A pastor’s real email may be pastorb.smith@XYZChurch.org. A scammer can create an email pastorb.smith@XYZChurch.gmail.com or pastor.bsmith@XYZChurch.org and hope you won’t notice. Once the payroll administrator modifies the pastor’s banking information for direct deposit, the pastor’s next paycheck goes to the scammer instead.
• A faked invoice from a vendor you currently use. The “pay now” button actually downloads ransomware or other types of malware. 
• A faked email from a trusted colleague that requests your payroll software username and password so that she can enter new employee data into the system. 

The power of old-fashioned communication

When it comes to scams, the list is exhaustive and ever-changing. While the method may morph, the basic concept remains the same: social engineers target a person’s instinct to trust. “The only way to stay a step ahead is by building awareness and adopting stringent control procedures,” said Sloan.

Consider incorporating these tips into your overall payroll administration practices:

1. Always Be Suspicious. As a ministry worker, it’s in your nature to believe the best in people. As a payroll administrator, you should always be suspicious. Be vigilant and verify any request. An old-fashioned call or face-to-face conversation is the single best way to thwart scammers.
2. Develop set procedures for changing payroll information. Even better, use a payroll software system that allows employees to make their own changes. 
3. Never hit “reply” to a suspicious email. If the scammer is using a spoofed email, you’re simply asking the scammer if they made the request. Of course, that answer will always be yes.
4. Call the person directly using a known number and not a number listed in the potentially spoofed email. Talking to the person directly, if possible, is the most effective form of verification.
5. Never provide sensitive payroll or banking information by email or text. Banks, credit unions, credit card companies—even government regulatory agencies—never ask for information this way. Especially beware of the “you’re a victim of fraud” texts and emails. Messages like these have one goal: to get you to volunteer sensitive information to “verify your identity.”
6. Never give out payroll or banking information over the phone unless you can independently verify the person’s identity. 
7. Don’t share payroll login information. Each person in your payroll software system should have their own login. If someone with legitimate access gets locked out or forgets their password, require them to go through the prompts of resetting it.
8. Beware of the fake service provider. Take a moment to independently verify a request from a “service provider” that you aren’t expecting. This is an especially important step if someone calls or shows up at your organization to “fix the glitch” in your payroll software or computers. 

Cyber security measures: Get that coffee to go

For payroll administrators, there’s no such thing as too much security. Whether you complete payroll tasks using a payroll subscription service or a third-party software company, like MinistryWorks, ask these questions about your current practices:

1. Do we use two-factor authentication? Known as 2FA, this method adds another layer of security to your payroll account. 2FA requires users to have a password and an additional method of verification, such as a pin number, texted to a smartphone, before they can gain access to an account.
2. Do we ever use public Wi-Fi or an unsecured network at the church? If you’re tempted to use a coffee shop to catch up on payroll, Sloan says you definitely want to get that coffee to go. “Public, free, or unsecured Wi-Fi is a scammer’s playground where they use simple techniques to infiltrate your system. It’s like leaving your ministry’s doors unlocked.” 
3. Do we store our data in the cloud? Check with your cloud storage provider or payroll provider to see what security it offers. 

MinistryWorks considers protecting the data of our customers to be highest level of our stewardship service to you. We are fully compliant with regulatory banking rules and certifications. Our systems and customer data are hosted in the cloud with the very highest levels in security, redundancy, and scalability. 

To learn more about how we can serve your Christian church, school, camp, college, mission organization, or non-profit click here.

Put aside embarrassment

As soon as you know you’ve become a victim, contact your insurance agent and your payroll provider to mitigate further damage and future litigation. Do not wait. Some states require that you notify the affected individuals and possibly government agencies if certain personal or medical information was stolen. Each state has its own definition of a breach and a time frame to complete notifications. International countries may have altogether different rules. Your insurance policy may offer the tools and access to help notify breach victims.