Top 5 Things Businesses Need to Know About Payroll Security - Mission to Grow: A Small Business Guide to Cash, Compliance, and the War for Talent - Episode #108

MTG - Joshua Gohman

Mike Vannoy: [00:00:00] In some cases, you're smaller, you're more vulnerable. You know, big companies, big budgets, they've seen their, peers be hit with cyber attacks and have robust security professionals like myself, you know, on staff defending the network all the time. smaller businesses, maybe just like, you know the kind of phishing attack against someone's grandmother.

Mission to Grow Intro: Welcome to Mission to Grow, the small business guide to cash, compliance, and the war for talent. I'm your host, Mike Vannoy. Each week, we'll bring you experts in accounting, finance, human resources, benefits, employment law, and more. You'll learn ways to access capital through creative financing and tax strategies, tactical information you need to stay compliant with ever changing employment laws, and people strategies you need to win the war for talent.
Mission to Grow is sponsored by Asure. Asure helps more than 100, 000 businesses get access to capital. Stay compliant, and develop the talent they need to grow. Enjoy the show!

Mike Vannoy: The top five things businesses need to understand about [00:01:00] payroll security. Hi, I'm Mike Vannoy with Mission to Grow. And this is a topic that every business owner, every manager of every business needs to understand. I think you might be surprised when we think security, we tend to think cybersecurity.
And there's certainly a technology component, but some of the, some of the easiest places for fraudsters to take advantage of small businesses is payroll. And most frequently has nothing to do with technology. So got a great guest to unpack the topic today. Uh, he's a cybersecurity professional who helps keep businesses safe.
He specializes in information security, privacy, DevSecOps, that's development security operations, and organizational transformation. He's, uh, someone multidimensional problems with real world out of the box solutions. He's the vice president of information security at Asure. Welcome Josh Gohmen.

Joshua Gohman: Yeah, thank you, Mike. Glad to be here.

Mike Vannoy: I'm excited to talk about [00:02:00] this so much of this show. We talk about HRE kind of things, uh, just cause there's so much to keep up on in the compliance world for small businesses

Joshua Gohman: Oh, sure.

Mike Vannoy: world. Um, but this is really, I'd say kind of a fundamental topic that people need to get their heads around. What do you think the number one thing that small businesses, especially, I'd say business owners in general, need to understand about payroll security?

Joshua Gohman: Yeah, absolutely. I think the number one thing there is that no business, no entity is too small. Right? This idea that I'm too small for the hackers to find me. It's just a fallacy. You know, they're using automated tools to comb the internet, uh, you know, scrape, uh, our different social media platforms to find things about people.
And they're just, uh, blanketing everybody with attacks just continuously. And because, you know, if even only 4 percent of those succeed, it's still a significant number because [00:03:00] they are literally trying to hit

Mike Vannoy: You said 4%. That sounds like a really specific number. Is that coming from
Joshua Gohman: It is, it's, it's about, about 4 percent of phishing attacks are successful. So that, that's where that number, and often we see phishing is kind of the, uh, uh, the leading edge of the cyber attacks.
I mean, I think with the last year, I mean, uh, Verizon's data breach, uh, investigation report showed that like 70 percent of breaches occur with a human element. That means a person did something right. So that, and that's generally phishing or something like that, uh, that triggered the attack.

Mike Vannoy: You know, the, the, the old saying, uh, why do bank robbers rob banks? Cause that's where the money is. Um, I think, I think maybe historically that's kind of where we maybe get this false perception that. I might be safe. I might be kind of, sort of safe as a small business. They're just going after the big companies where the real money is.
Say more, uh, be more specific if you could about, Hey, they're, they're, they're [00:04:00] spamming everywhere. They're, they're using, they're using technology and bots to, to hit every company and why is it that you could be small and be just as vulnerable?
In some cases, you're smaller, you're more vulnerable. You know, big companies, big budgets, they've seen their, peers be hit with cyber attacks and have robust security professionals like myself, you know, on staff defending the network all the time. smaller businesses, maybe just like, you know the kind of phishing attack against someone's grandmother.

Joshua Gohman: who's not as, not as savvy online. It's the same thing with a small business. They have, you know, less staff, they focus on their core business and oftentimes cybersecurity or IT is not, not that piece or not the core function of the business. And so. You know, those little things, those gaps in processes, the, maybe the lack of training, create those seams where phishing or [00:05:00] another type of cyber attack could take hold.
You know, I think with the small businesses, again, get back to phishing all the time, I think that's the one that, um, you know, really, uh, is the most common, most prevalent, uh, form of attack.

Mike Vannoy: So the first area that I wanted to, to dig in with you. is kind of the, I'll say the inside job, inside job is the wrong way to say it, but it's, it's, it comes from the inside without employers realizing. Of course, you could have a compromised employee doing nefarious things. I think that's not the most common use case.
It's probably pretty, pretty rare actually. Would you

Joshua Gohman: Yeah, that would say that would be, would be more rare. Um, you know, certainly, uh, though, and you know, as I mentioned, um, 70 percent of attacks have a human element. Well, that human element's not the attacker. They're talking about your, your staff, the people in your business. Again, that phishing email that, uh, is sent to an employee that says, Hey, your password [00:06:00] is about to expire.
Please click here. And it takes them to a page that looks just like the page that they sign into every day. And they put in their username and password. And, you know, I often say it's like you people think hackers are, uh, on these black screens, typing and, and, and trying to break, uh, you know, passwords or crack codes to get in where the most common, uh, attack avenue is really, they're just going to ask you for the key and you're going to give it to them.
I mean, if you think about it, that's what they're doing. They're asking you key to get in and you give

Mike Vannoy: I'm assuming most everybody on the, uh, on today's call and. in, in listening to this podcast or watching this show online, they know what phishing is, just just explain it for those who don't. But then I want to just go into some of the, let's talk about some of the use cases, because I think it's interesting.
You say 4 percent of people fall for these things or 4%, 4 percent are Yeah. I think most of us think we have a good eye for [00:07:00] this, but these guys are becoming increasingly sophisticated, right?

Joshua Gohman: Yeah, absolutely. Yeah. So phishing is just a form of social, what we call social engineering used to be called, you know, like the con artist, right? It's a con. It's just a con that happens through, uh, an email or, or some other text is another common, uh, avenue. And it's, um, an attack that centers on asking the user to do something.
Um, whether it's open an attachment, click a link. Um, you know, or take, take some action from an email or a text message. Um, again, a very common one is, um, asking them to reset their password or asking them to put in their password to the site. You know, that link is a link out of that email is a, um, Link to a page that's been crafted to look exactly like the login page.
If you use Google or Office 365 or another, Adobe or any of these Office products, um, their login pages will look exactly the same. [00:08:00] And the user doesn't know. They go like, Oh, I just gotta put in my username and password. And when you do that, you're literally giving them your username and password. Um, there is a smaller percentage of, you know, attacks that might have that attachment that has malicious software in it.
That basically, you know, the user clicks it and opens it and then it runs on their machine, um, and then gets access to their network. I think that's probably, um, less common for the type of attacks, especially what we're going to talk about today within the payroll sphere. Um, but certainly something to think about, you know, good end point, all the technical security stuff that you kind of mentioned up front, you know, that's one piece of it, but then kind of what we're talking about here, and it's really kind of the, the predecessor to all of that.
is the human firewall, right? Having, you know, you're, you talk about the staff internally to the company, having those people trained so that they can recognize those things, you know, and going back to that 4%, you know, that we talked about, I think that number is probably skewed a bit cause that's [00:09:00] across everybody, you know, and you're getting this big enterprises that train people, you know, routinely about, uh, phishing emails, right?
And we get our percentages down really Yeah. We conduct training at all the time
Yeah, I

Mike Vannoy: on how to deal with those things. Yeah.

Joshua Gohman: Yeah, I absolutely sent, sent fake phishing emails to everybody periodically to kind of keep it in and you know We've seen with within our company, um, you know, the percentages were, were higher. We're almost 10% Uh, until we addressed it with training and, uh, practical exercises, these phishing, uh, campaigns, and we drive our numbers down.
Now we're down below 4 percent now, but again, it shows the value of training the people, creating that human firewall with your staff, um, and you know, for what it's worth, pound for pound, dollar for dollar, that is the most affordable and effective method of cybersecurity you can start with, usually for a few dollars a year per person.
Um, you know, providing some training from a [00:10:00] third party vendor, um, that, you know, provides some canned training on how to recognize this stuff. What does business CMO compromise look like? What are the effects? How do you do it? How is it done? And bringing people up to speed. And just that alone has a significant impact on, on preventing these attacks.

Mike Vannoy: Do me a favor. I want to, I want to come back to talk about maybe some of the more sophisticated examples Sure. phishing, something I'm personally seeing. I, I, I see, uh, phishing attempts much more frequently over text than I ever used to. It used to be an email only thing. Yeah. And increasingly it's, it's, it's a text thing. Why, why is payroll so vulnerable? Because our experience would be, people are probably going to be extra, extra cautious. Like if you get an unsolicited email, Hey, give me your username and password to your bank account. You're like, Whoa, [00:11:00] Whoa, Whoa, a bank What's this about? My payroll system. What's this about?
You're already on the defensive. These guys aren't asking for access to your payroll system. They're asking for, for ways to end route in, right?

Joshua Gohman: Yeah, that's right. Um, yeah, most of these attacks that we see actually start with email. So they get, they get, access to the user's email, which, uh, really is like the gateway to your, your digital identity. Because from an email, I can reset all of your accounts, reset the password to your bank, to your, uh, payroll system, to whatever.
Uh, because it all tracks back. Um, maybe that's a vulnerability just in general with this. Because email is not a secure system, but um, it is just a factor in the world that we live in that we trust email, that a person, if they respond to that email, then they are uh, who they say they are. And so the attacks typically start there, um, from an email.
[00:12:00] And then, you know, you asked about why, why are we vulnerable to these attacks in payroll, right? Payroll is, um, You know, you may think of like big breaches like Sony or Target and you know, sure, hackers that are trying to make a name for themselves, you know, that's one way to do it. But they, even with that data, they have to take it and monetize it somehow, sell it on the dark web.
And that's a process, you know, payroll companies, even small businesses, 50, 70, 000. I mean, they're often biggest expense, biggest liability is payroll in a small business. And so that money is being moved. That's Between the small business, the payroll provider, and the bank. And there are some gaps that naturally occur in the ACH process.
It takes a few days for those transactions to clear, right? That we, you know, the payroll company debits money from the small business. And then we're paying, the payroll company is paying out to the employees for direct deposit. And that gap in between there, uh, creates a [00:13:00] place where Hackers can thrive, right?
They can inject themselves in between there, either asking, um, you know, by compromising an email and asking the payroll company to set up a 1099, right? It looks like it's coming from the right email. It's we're, we're, we've been talking to back and forth, you know, for the last couple of weeks, the last couple of months, you know, he's just asking me to set up this.
Uh, this 1099 and they want to pay it today. Uh, or by getting access to the payroll system and, you know, changing all of the employee bank accounts to a pay card that the hacker controls and then on payday, the money is moved to them. Um, you know, they exploit that gap in the ACH system. I think that's, that's obviously very easy to monetize.

Mike Vannoy: I want to go deeper on some of those examples. come back. So the first, the first point that we see most common is the hacker, whether it's Hey, can you send me, and it's a phone call, it's a text, it's an email. It's trying to get [00:14:00] you to give up the credentials to get access to your email. Cause once they have access to email, it wouldn't work with us.
We have two factor, multi factor authentication, email alone won't get it. You're going to need other forms of Mhm. Mhm. systems do this now. Um, but just think about everybody in your personal life, how many times. you got logins to everything. And so you got the login or you can't remember, it says forgot username, forgot password.
You have to get a login email. You got to provide one or the other, and then you just get it. And so all you need is access to, so you're not, you're not stopping the, that human being from even getting, from stopping getting their email. You could just be someone else on the account. And at 3am, well, so I've stolen Josh's, uh, uh, email credentials at 3am while he's sleeping.
I log into some account. I say forgot [00:15:00] username. It comes to me. I write it down. I delete it. Josh never knows it even came. Now both of us are receiving his emails. I'm using that information to log into other systems. And accessing those systems gives me information that I can use to log into other systems and it cascades.
And it's just, it's a, it's a path

Joshua Gohman: Yes.

Mike Vannoy: to the purpose of this call to payroll. Right.

Joshua Gohman: Yeah, absolutely. Yeah. Um,

Mike Vannoy: So let's look, before we go down the, like, I really want to talk about the specific, uh, ways in which the, the frauds happen from bank accounts between, cause you got Uh, you got between the business owner and the payroll processor, uh, bank accounts, you got from payroll processor to employees, you got from employees to all the people that they pay.
There's a, there's a few handoffs here, uh, where money moves in the ACH, the Omni Clearinghouse process through the, through our banking systems where these people try to insert themselves. So we'll go deeper in that [00:16:00] a second, but, but say more about what these phishing scams can look like.

Joshua Gohman: Yeah, absolutely. You know, again, I think they, they target systems that, you know, they know people use, right? So they know the vast majority of businesses say use Office 365, right? Or they use, or, or Google, um, but it's more common with Office 365, right? Office 365, the Microsoft suite has a very, uh, consistent login page, right?
It looks the same. Um, now you can do some things as an organization to kind of tweak that a little bit to make it harder or easier for a user to, to identify, but not everybody does that. And, you know, the attackers know that. And so they, you know, send an email, um, and it may just be, uh, it could be as something as simple as, Hey, we need, we need you to log in to keep your password today, or we need your IT department is, [00:17:00] um, you know, requests that you.
Uh, sign into this new application or, um, as a Dropbox invitation, like sign in with that. Um, and it's, it's generally trying to get a user to, to take an action. And usually that involves signing into an application to give them credentials. Um, and there's almost always the element of urgency, right? Because most people, if it's not urgent, like, hey, if the attacker asks, hey, in 15 days, You know, we're, uh, we're gonna, you know, you need to log in in the next 15 days to keep your password. People are going to forget about their email. I mean, people forget about legitimate emails like that, right? But if it's something, you know, it's always there's that element of urgency.
It needs to be done right now, or you're going to lose this, or you're going to miss out on something. Um, and, uh, and so it's trying to get the, the, the user to short circuit their, their decision making [00:18:00] process. They're looking at this email. Normally they'd be moving on to something else or filing that away for later.
But that actor, that sense of urgency. prompts them to do something right now. Um, and that's usually just, that's just an element that we see very common across all types of phishing attacks,

Mike Vannoy: Yeah. Yeah. Um, is it any different coming from texts? Like one of the things I think about texts, I'm increasingly getting these where it's, it's obviously somebody pretending to know who I am or they're like, or I'm seeing like, Hey, your number was in my contacts, but I don't know who this is, do I know you?
It,

Joshua Gohman: right?

Mike Vannoy: what? And I'm just assuming they're just trying to validate. They're just trying to bait me into some dialogue. Yeah.

Joshua Gohman: Yes.

Mike Vannoy: But that dialogue could be as simple as validating. Oh, yep. I actually do. I guessed. I sent that same thing to [00:19:00] five different phone numbers, trying to figure out which one is Mike's real phone number and he responds to it.
Oh, now I've got his phone number. Yeah. Yes. They're definitely trying to validate who they're sending data to. They're definitely trying to, to even sometimes it's just as simple as getting you to respond and they'll coax the data out of you. You know, like you said, I have this number, I don't know who it is. You know, you start providing them information.

Joshua Gohman: Yeah. You start having a conversation with them back and forth. They start coaxing more data out, uh, and then they get you in with whatever the hook is. And it could be a lot of different things. I mean, it could be click this link and you download something onto your phone. Um, you know, it could be, um, you know, a, a variety of different, different scams.
Mm

Mike Vannoy: so I would invite people to use your imagination and think about the use cases here. So they don't, maybe they, maybe I'm, maybe they, they found my name in LinkedIn. They don't know my email address cause I don't make it public. But they make bunch of guesses. They know the domain name of the company I'm at, at [00:20:00] Asure software.
com. So they maybe send an email to Mike at Asure M. Vannoy at Asure M. Vannoy Michael. Vannoy
Michael. Vannoy and just send it all the different permeations.

Joshua Gohman: That's right.

Mike Vannoy: maybe they don't, it's not a, maybe it's not even all that, uh, trying to get me to click on anything that would, would, would, raise a red flag.
Maybe they're just trying to get a response. And the one that I actually open or respond to, because maybe just simply opening that email, you know, it's an HTML email, they get some validation that the page loaded and, oh, now I know which one is him. And you can run a computer program to run that at scale to millions of people all at once on the other side of the globe.

Joshua Gohman: Yes. And that's exactly what they do. That's exactly it. And it's, you know, often it's really the same, um, some of the same technologies that are used by marketers and sales folks to, to generate ad campaigns. Essentially they [00:21:00] use, you know, malicious versions to run phishing campaigns.

Mike Vannoy: Yeah, yeah.

Joshua Gohman: It is the same automated tooling, the same kind of things.
You mentioned HTML emails with images to track whether you've opened it, the same kind of things that are used. In marketing are used by the fishers to, to, to kind of, to run these campaigns.

Mike Vannoy: Okay, so. You can see how this is not a big company thing. In fact, the big companies might be more protected. They have more dollars to throw at technology and training and awareness around these things. Small businesses who are more vulnerable because these bad actors can just do this electronically at scale.
It doesn't cost them any more to send to a million people than it did to send a one or two. So they don't who are they. You're just one of the millions of contacts that they're doing this to.

Joshua Gohman: Right. So,

Mike Vannoy: um, once they have, some information. Let's explore some of these use cases. Then tell me more about the 1099.
I don't know if everybody, if that one's self evident,

Joshua Gohman: Yeah. [00:22:00] So, So, that it's, it could be an employee too. I used to 1099 as an example, because I see, I do see that as the most common, but with that, that attack starts with. You know, the, the, uh, either the business owner or, you know, the, the office manager or the basically the contact that is communicating with the payroll provider, their email gets compromised.
And kind of, as you mentioned, they write some rules to direct traffic from people who they want to communicate with to other folders so that the legitimate user of the inbox doesn't actually see those communications. And so they can have whole communications with the payroll provider. about setting up a new contractor or employee.
Again, usually it's a contractor because the amount of paperwork is less. I need to pay this contractor. I need to pay this contractor 10, 15, 000, whatever it is. And I need to pay them today. Again, going back to that sense of urgency, every good phishing attack or, scam [00:23:00] has that sense of urgency to try to break down the decision making cycle of the victim.
Uh, in payroll, we know that it's a zero fault tolerant environment. Nobody wants to not get paid on payday. And so if the business owner is telling me this is the same email address, same person that I've been communicating with for years is asking me to set this up and they need it done right now. And I want to be a good customer service representative. I want to provide that service to them. I want to do it. I'm going to do it right now for them. And they're trying to get them out of that cycle. Uh, of going through a process of maybe getting a second approval or a second person to review this. Or, uh, what we do is we out of bands. We call that person that we have on record, their phone number, to verify that identity.
You know, but they're trying to get that, um, you know, they're trying to sidestep that too in some ways where it's like, oh, you need to talk to me? Here, let me call you. And so that we've even had instances where we've seen the fraudsters actually call in [00:24:00] and say, Hey, yeah. It's me. It's Joe. Down at Joe's Pizza.
Uh, you know, I, I need this 1099. It's really me. And, and, and you, and we set it up. And the point about the gaps in the ECH process is by the time the payment comes out of the bank, right, the fraudster's already left with the money. They've already got the money and it's very difficult to call that money back.
so they've already

Mike Vannoy: I will interject here. We are not going to disclose our, our, our means and methods for this fraud out. Um, the good reputable payroll companies have the high standards like we do. Um,
Um, but, but, but exactly, I just want to kind of restate the business case that you just laid out there, the, the use case.
So your email gets compromised. Um, you don't know your email has been compromised. Now they're getting passwords. They're logging into this, they're logging into that. They're seeing your email there. Oh, I see. I see they're an XYZ payroll provider company, right? It could be [00:25:00] Asure, could be ADP, could be Paychex, could be whomever, right?
So,
oh, The emails from, from them, I know which vendor to, to, to call now. So now they call that payroll company or they email that, uh, uh, company pretending to be you, and they're sending email, making it look like it's coming from you,

Joshua Gohman: Correct.

Mike Vannoy: right? So they can, might be on the phone. They might be sending emails saying, Hey, I totally forgot.
Just hired this new employee the other day. Payday is, is, uh, uh, Friday. I got to get this submitted today. Uh, can you help me get this employee added to, added to the roles? Yeah. They had 20 hours. They may not even ask for a lot of money here because they're doing this hundreds and thousands of So it accumulates to a lot of money for them, want to raise too big of a red flag.
Right.

Joshua Gohman: Yeah.

Mike Vannoy: And, and so they might be trying to hire a new employee, but like you say, now I got to provide social security numbers. I got W 4s. I got all this stuff. So easiest thing to do, [00:26:00] Hey, I'm I just need to, I had this contractor come in, they gotta finish the job. They said they're not gonna finish the job.
And if I don't pay 'em today, and I gotta get this done tomorrow, we're dying. I need to get these guys added right now. It's a very plausible story, this sense of urgency to add a payee 10-99 or W2 Right. to the payroll with sense of urgency. It's once they, once they have that information, it's not. not hacking the payroll system. It's hacking your email that opens that door.

Joshua Gohman: Yeah. Yes. And it's, and it's hacking people. It really it's, it's exploiting that kind of, um, you know, the propensity to want to deliver exceptional service, right? That that payroll person wants to be on time, wants to be, you know, They want to provide that service to that business. Right. Um, and, and so they're, you know, that sense of urgency kind of kicks in with that same [00:27:00] sense of service and wants to just, you know, sometimes it gets the better of us.
Um, you know, short circuits are better decision making process.

Mike Vannoy: Yeah. And again, we're not going to disclose our methods because we don't want the bad guys to know. Uh, but I'd say we're very good at that, but as a business owner, you need to be aware of what risk you're, you're, you're exposed to. Let's, let's pick another one. Let's pick the paycard example. Okay. how, how would a scammer assume they've done some phishing to get some credentials?
Um, if I have a pay card, so maybe this isn't, maybe this isn't the business owner or office manager slash payroll manager that's being hacked. Just an employee.

Joshua Gohman: Could be.
Yep. would love to have, and I'm on direct deposit and I'm not, I just want, all I want to do, Josh has changed the, From this routing number to this account number and routing [00:28:00] number to, to go on my pay card.

Mike Vannoy: Sounds harmless, right?

Joshua Gohman: Yeah. Yeah, that's exactly one scenario. Right. And you know, employees, uh, you know, also vulnerable. Um, you know, the same thing, they can, uh, they can be phished. Um, you know, another example could be the, the company admin. I certainly, the company admin or the, the, the business owner is a higher risk because of their elevated privileges within the payroll system.
Right. Then now the attacker could go in and change every employee. Um, you know, they actually log into the software, right? Because they reset the password or they phished the password directly and they just log into the payroll system and then change all of the account numbers. And usually they're pretty savvy enough to know, to be able to poke around the payroll system to know when payroll, when payday is, and they change it just close enough to payday that you're likely not going to go in and check again, right?
Because they don't want to change it, you know, a week and a half ahead of time where you might go in and make some changes. Uh, and see [00:29:00] things that are odd. Um, you know, they, they want to go in right before payday and they want to change, you know, as many employees, potentially all of them, uh, to that same pay card, or maybe it's two or three pay cards, but either way.
Um, and then they just sit back and wait and the normal payroll process takes its toll or takes its, uh, process. Um, and on payday, it's not until employees call and say, Hey, we didn't get paid today. Uh, does anybody even find out that, uh, there's been a fraud that happened?
Mike Vannoy: Yeah. And so the prior case setting up new employees, setting up, uh, 1099s to get paid, um, that requires admin privileges in trying to pull up, trying to get the payroll provider, uh, Duped the payroll providers to be part of the scam. What could happen here, and I want to, and I'm going to delay our conversation around the tech hack, where, the hacker actually is in payroll [00:30:00] systems doing

Joshua Gohman: Sure.

Mike Vannoy: Um, but if we stick to just the, the, an employee, you know, uh, The employee gets hacked. There's employee self service. I'm on my, my phone and I change, and I just want to change my own information. I'm going to change the bank account. So I'm going to, because you know, maybe half my, instead of all my money going to my checking account, I'm going to say 25 percent now goes into my savings account.
But the account is the bad guy, right? So take us through more detail you can on employees getting hacked versus admin. Versus like payroll admin or owner being hacked.

Joshua Gohman: Yeah, I mean, they really are Fundamentally, they're the same thing because the, the, the attack occurs in the same way. I think employees are probably to some degree a bit more vulnerable because they're, um, that may be less familiar that maybe they don't have, uh, the training. Um, you know, they're [00:31:00] lower down on the totem pole per se.
Um, and, uh, you know, or maybe they don't have good password hygiene. They're just, Oh, it's just my employee self service account. Who cares? You know, that old thing about I'm too small to be attacked. You know, I'm one person. How is the attacker going to go after me and not realizing that they're going after everybody? Um, And so, um, you know, again, I think it's, it does really actually fall into the same, um,

Mike Vannoy: does, but here's why I wanted to isolate the difference.

Joshua Gohman: Okay?

Mike Vannoy: All a hacker has to do is go into LinkedIn and, and find out, you know, the, the names of employees who work for the boss, right? If you're the boss and someone is pretending to be you connecting with your payroll company, you're really pretty reliant on your peril company, protecting your butt.
Right.

Joshua Gohman: Mm hmm.

Mike Vannoy: Um, and shame on you for getting hacked. But also shame on your provider if they allow that fraud to happen and don't have the safeguards like we

Joshua Gohman: Correct.

Mike Vannoy: [00:32:00] But, if your employee gets hacked, and you are completely unaware, because it's happening through a self service app, that your employee changed their account numbers for their direct deposit, you wouldn't have any idea until the money had left your account, went through the banking system, and is already in the hands of someone else.
Cause it would be your employee saying, Hey, I never got my full pay.
The money's gone at that point. Right.

Joshua Gohman: Yeah. Yeah. It definitely is gone. And it definitely, it's, it's, it's harder, um, to identify. Did, did the, did the employee really just change their own account number to some other account and then say they didn't get paid? Um, you know, because the logging in the system, they are logging in as the same user.
They're logging in as that employee. Uh, so those system logs would show that the employee logged in and did this change. You know, I think, you know, some of this is down to a people thing. You have to just, you know, know your people and, and, and, and kind of develop that situation to kind of understand what [00:33:00] the likelihood of that potential, um, issue is.

Mike Vannoy: Which just screams to the need for training of employees around.

Joshua Gohman: Yes, yes, absolutely. I mean, it's obvious when. You know, in a company admin gets hacked and they change all 20 employees to the same account. Like that's pretty obvious that it was a fraudster. You know, that's, that's not a common, um, you know, scenario in the payroll world. So, um, that one's certainly easier to identify.

Mike Vannoy: That's the same one who sends you the email that you just won a million dollars from a Nigerian Prince. Right.

Joshua Gohman: Yes. Yes.

Mike Vannoy: so sophisticated.

Joshua Gohman: Yeah, not really.

Mike Vannoy: But, but, but I, I bring this, this, that use case up of the employees, because if your employee gets hacked, they know it's not your fault, but they still don't have any money.
And you're the provider of their money. And

Joshua Gohman: Yeah.

Mike Vannoy: whether you feel obligated, whether you don't feel obligated, you're going to [00:34:00] find yourself in a difficult situation that have to front them some pay? I mean, what if they're living paycheck to paycheck? I mean. I mean, it's still a terrible situation.
Highly, highly, highly encouraged training. Okay. Um, we talked about the 1099 or employees adding fake ones. Um, we talked about, uh, pay cards and I guess it doesn't have to be a pay card. It could just be a bank account, right? could Yeah. you're going to route money to a pay card the same way you're going to route money to a savings account versus a checking account versus a whatever.

Joshua Gohman: Yeah. Yeah.

Mike Vannoy: What about, I mean, the, the doozy would be the bank account of the employer, right? And if a hacker is getting access, so now let's maybe move to, they've successfully gotten into your software. They're not talking to your payroll providers, customer support people. They're in your software, [00:35:00] in as you.
What damage can they do?

Joshua Gohman: The, the big, the bigger, uh, impact they can, I mean, obviously they could access personal information from all of your employees. I don't want to discount that. I know we're talking a lot about the money. Um, it, there is still impact or potential impact of them accessing the personal information, uh, of your employees and that should not be underestimated.
But I think the biggest risk is them. Generally changing the employee's bank accounts. Um, and the reason I say that is because within a payroll system, the only access to the business account is to debit. To debit the money out for payroll. If they were to change that account, then that would just not, you just wouldn't debt, we wouldn't be able to, the payroll provider wouldn't be able to debit money for the payroll.
The company would just NSF. They wouldn't really necessarily be able to get access to the company's bank accounts or, or the money in the company's bank account, [00:36:00] um, uh, directly from the payroll system. Um, again, the only way that they do that is by running payroll. And so that comes down to the scenarios that we talked about.
Uh, creating 1099s, creating false

Mike Vannoy: It would be on the it would be on the backend where perhaps changing the bank accounts for, so instead of just one employee at a time, one vendor at a 1099, uh, vendor at a now all, now I've changed the same account number, same routing number for all 20 of my employees and or the entire gross payroll, boom, in that fraudster's account,

Joshua Gohman: correct. Yeah. And that's, that's generally the way that they get at, I mean, again, if you think about it, the actual target is the company's bank account, but the way they get at it. is through your employees or setting up 1099s and by running payrolls and then using that normal debiting process to debit the money out of that, [00:37:00] uh, that account.

Mike Vannoy: Yeah. All right. I want to, I want to make tech stack last. I'm looking at the clock here. Uh, so, so I think we started appropriately internal staff.
most vulnerable place is internal folks. It's, and it's almost always going to start with an email hack, whether it's you as an owner, it's an office manager, the payroll manager, whoever the administrator of the payroll function
is, and then the ability to steal and hack one, employee at a time, your employees are vulnerable, right?
So not that they're less vulnerable. There's just less to steal on a per employee basis. So, right, right,

Joshua Gohman: Yeah. To make it effective, to make it scalable, they try to, you know, they want to attack as many as possible.

Mike Vannoy: right, right. Um, okay. So now let's move to outside of internal staff. Let's talk about non staff. I mean, [00:38:00] I think, I think this is something that, I mean, if you ever watched the old movie, Wall Street, it's the guy, uh, the Wall Street trader, he gets a job as in the janitorial, uh, industry, so he can go clean office buildings and see what's on the desks of high, high officials, right?

Joshua Gohman: Right, right, right, right. Yeah, I think that's, again, that's another area, you know, that companies can be very vulnerable. How are you vetting those external partners? They, and sometimes, you mentioned the cleaning crew and that's a perfect example because people often overlook the cleaning crew.
And, you know, do you, when you hire new employees or, you know, bank statements or anything else, you leave it out on top of your desk because it's like, right. Who has access to this? I lock up at the end of the night and go home. Well, the cleaning crew that comes in after hours has access to everything that's not locked up inside of a filing cabinet, or your desk.
If you're leaving it out, they potentially have access to [00:39:00] those, to those files and that, that information. And so it's, how are you vetting It just simple as asking the, the company that you use, do they do background checks on their people, right? How do they, you know, do they have insurance, you know, in the event of a theft or fraud that comes back to them, do they have insurance in some way?
You know, again, that doesn't completely protect you, but it does, um, you know, offset the risk in some way. Um, so it's, and that extends beyond cleaning crews. And we use that as an example, but payroll providers, IT, if you use an outsourced IT provider, you know, don't take their word on things that they're doing.
Ask questions. You know, how are they? What security protocols do they have in place? Do they background check their people? Do they have, uh, insurance? Um, you know, what experience do they have in security? If you're relying on them for your security services and to protect your, the technical stuff that we'll talk about in a minute, you know, don't just assume they're doing it, [00:40:00] um, because they may not be.

Mike Vannoy: think about all of the non employees that come into your work environment. Cleaning crews, delivery people, repair people, um, people that can come in digitally, uh, support folks. Hey, let me just, let me just, could you do a screen share with me? I don't understand the problem you're describing. share your screen with me so I can, right?
I mean,

Joshua Gohman: exactly.

Mike Vannoy: there's a lot of ways for, for folks to get access inside the building that you might not think of.

Joshua Gohman: Yeah. Yeah. The, uh, another one is the landlord. If you lease a space within an office building, Oftentimes the landlord, the building management staff will have, um, you know, access to your, the office spaces, uh, you know, cause they may provide some maintenance services or whatever. So they may have key cards or access to the building.
And again, it's, you know, you may obviously be stuck in a lease at this [00:41:00] point or, but when you're evaluating those vendors, how you checking, how do they vet their people? How did, what security practices do they have in place?

Mike Vannoy: All right, so just. It might sound obvious, but so employees, uh, employees that get their email hacked, that's the, the, the number one place that talked about a handful of the ways that they exploit that information,

Joshua Gohman: Yeah.

Mike Vannoy: uh, number, I think the number two most common is it's, it's not technical, technical security technology.
It's physical security. It's, it's, and just help me make sure we cover them all. It's locked doors.
It's locked file cabinets. It's not storing any PII, personal identity information or sensitive information, certainly no bank information on top of desks. But what other, what other precautions should the owners be insisting upon in their work environment?

Joshua Gohman: I mean, I think certainly also like, you know, a security security system monitoring, [00:42:00] um, you know, you know, alarm system if it, uh, you know, if it goes off, is it 24 hour monitor? Do they, do they alert you in the event that it is, uh, that the alarm goes off? Uh, that's certainly, um, helpful. And, you know, the other thing too, I would, I would say is that it's important to assess the risk for every business, not every business is going to be the same, you know, so a CPA firm that has tons of digital and paper records that are, you know, very sensitive is maybe different than the auto repair shop that may have infant, uh, invoices, repair bills, and different things in their office.
And so it's definitely assessing the risk. And that's both physical and cyber. They play hand in hand here. So it's assessing the risk of what you have. Um, but I'd also say on that note, don't underestimate your risk. I find oftentimes people are like, Oh, it's not that big a deal. It's [00:43:00] not that much of a risk.
Well, you might be underplaying it a little bit, but, um, but also, you know, just don't spend a hundred dollars to protect a 10 bill.

Mike Vannoy: Something we, you and I didn't talk about before. I want your opinion on a minute. I think I know what the answers will be, but I think a lot of ways that folks get themselves in trouble is just record retention, right? So.

Joshua Gohman: Yeah,

Mike Vannoy: uh, Hey, new employee. Here's your, here's your, here's your forms. A lot of people still work in paper forms for onboarding.
Uh, many times we'll even get a copy of a voided check so I can set up your direct deposit for you. Um, but there's no need to actually keep and store that information, but yet they're sitting in file cabinets could be years old of, of employees information. Well, what's your guidance for folks around just record retention, record keeping in storage?
Cause it might be [00:44:00] smart to lock the file cabinet, but it might be even smarter to not to have the need for a file cabinet.

Joshua Gohman: That's right. Yeah, you bring up a great point. Don't keep anything longer than absolutely it, right? And you know, I can't tell every business what, how long they need to keep, you know, certain records. I mean, certain things you can speak in some generalities within the HR, like for example, like wage and hour disputes, the, the, uh, statute of limitations is three years.
So keeping records beyond three years in, in, to support a claim like that. Um, isn't really necessary. And the more data you have is the more, is a more liability. Um, whether it gets lost or stolen or whatever. Um, if you have it, it's your responsibility. If you don't have it, then it's not your responsibility.

Mike Vannoy: And so you can buy a little stamp and you can redact the sensitive pieces of nation or you simply don't keep it. [00:45:00] Like I I've talked to business. I've seen it firsthand business owners. got a copy of a voided check as part of the onboarding kit and years later they get employees that don't even work there anymore and there's their checking account

Joshua Gohman: Right.

Mike Vannoy: bank account and routing number right there.

Joshua Gohman: It's a risk. Absolutely.

Mike Vannoy: and there's just, and that should have been thrown, not thrown away, it should have been destroyed

Joshua Gohman: Correct.

Mike Vannoy: immediately after it was keyed into the payroll system because the employer had no need for that information the moment that that was entered into the system.

Joshua Gohman: That's exactly right. It goes back to looking at each piece of information and saying, how long do I really need? What's the purpose of this? And how long do I really need it? I need that voided check to the where I input the data into the payroll system. That is the extent of what I need that for.

Mike Vannoy: Josh, I want to, a couple more topics that I want to talk about. I certainly want you to give guidance around tech stack and we'll make that our last topic, uh, you know, [00:46:00] what should be, what should people be putting in for, uh, hardware and software to protect themselves and their companies, their employees, but just maybe first, another area of vulnerability is what we in the payroll business, we would call, uh, exceptions.

Joshua Gohman: Yeah.

Mike Vannoy: it's the short term employee. It's the one off paycheck. It's a bonus check, you know, maybe rattle off the most common ones. And why do those create vulnerabilities? What should people do in those situations?

Joshua Gohman: Yeah. Yeah. This is the third leg of the, kind of what I call the tripod of security, right? You have people, processes, and technology. And we talked about people, um, Um, we're gonna, now we're talking, this is processes, and in a second we'll talk about technology. And of those three, I think people in process are the biggest, and technology actually for most people is the smaller of the three.
Right? And so processes. So thinking about, um, how you handle exceptions. So something that's [00:47:00] out of cycle. So we talked about setting up that 1099, right? Um, you know, business, you know, Jim from Jim's Pizza doesn't, has never set up a 1099. Right. Then I don't have contractors in my business and the business is asked the business, right, allegedly through this email is asking the payroll provider to set up a 1099 that by definition is an exception.
And so having talked to your payroll provider before it happens about how do you handle exceptions? This is what I want you to do. If a request ever comes through, that's out of the ordinary or just ask them, you don't even have to have that solution. Just ask them what they do. When they get an out of cycle or out of, um, out of the norm request, whether it's run an extra payroll, run a bonus pay, run a payroll for this 1099, right?
What is their exception process? Do they step out of that single user and ask for, get, get someone else to take a look at it? Do they get an approval? [00:48:00] Do they have a process? for handling that exception. Have they thought about what it is? That also goes back to what we just spoke about, about vetting your third party vendors, right?
Talking to them and asking them how they handle different security incidents or events. Well, exceptions is one of them. You're relying on the payroll provider to handle these processes for you. And so you need to understand between you and them, how these exceptions and these out of cycle processes happen and how The approval is, you know, maybe it's a phone call, you know, maybe it's, um, you know, uh, talked with third party.
Maybe there's a business partner, right? That, that it's like, you know, look for, if you get something for me, that's suspicious, call my business partner, right? Here's his phone number, keep his number. And that is some way that they, and that could be something that you want to set up with your payroll provider.
They may also have their processes internally, which if You got all the big ones that you mentioned before, they all have processes like this, and certainly we do too, for [00:49:00] handling and vetting potential frauds. But it's important to know and have a plan up front, so you're not guessing when it happens.

Mike Vannoy: Joshua, assuming, uh, most people, most people watching this show, uh, either use one of the Big providers like us or, or is there a CPA? There's a, there's a minority probably that are using, uh, small, maybe regional kind of unknown providers. There's Sure. Sure. beyond the provider, what kind of process risks does the employer themselves have?

Joshua Gohman: So, you know, there's, there's always the, the single point of failure risk. So you have one person. Um, you have that office manager that's been with you for 30 years and they do everything. They know everything. They know all the processes. They know everything. And, uh, there's obviously a risk that they could [00:50:00] retire, right?
Everybody's theoretically going to retire somewhere. They could win the lottery. They could whatever, right? They could get ill for an extended period of time, which is not even, you know, And then now What do you do? Like, who picks up the process for that person? Because they literally knew everything. So, part of, you know, maybe, how do you deal with exceptions would be, is the process documented?
Could someone else pick it up if, you know, Joe or Sally or whoever takes a sick day or extended sick day, right? So having that process documented, even just writing it down. Makes the process more robust because now it's, it's, it's documented. There's an actual process. We know it's not just in somebody's head.
Uh, so if, if there is an exception, it's written down and you know what to do.

Mike Vannoy: Yeah. Great. Let's maybe spend our last few minutes on, uh, is there anything else on process you want to talk about before we jump to last topic of technology?

Joshua Gohman: No, I think, I think that [00:51:00] largely covers it. The big ones are we got to.

Mike Vannoy: Yeah. Um, reiterate, the biggest is people. People, process, technology, people is the, that's the most vulnerable, biggest area, most common, uh, uh, fraud attempts that we see in the, in the business. But let's, let's talk about tech.

Joshua Gohman: sure.

Mike Vannoy: Cause the people, the tech frequently go hand in hand, getting you to click on something, maybe I'm not asking for you to enter username and password credentials into a fake website, but I could be putting some malware on your machine that is doing the work for me.
Right.

Joshua Gohman: Absolutely. Certainly. You know, and, uh, you know, so that gets into, you know, what security systems do you have in place on, on the individual workstations? You know, it goes back to, you know, antivirus or what we call modern technology, endpoint detection and response, which is just a more advanced, uh, antivirus type software, something that can [00:52:00] detect that malicious software that's running, uh, and ideally stop it in its tracks before it ever runs.
quarantines you and then quarantines it and then notifies somebody that, um, you know, that this is there and needs to be cleaned up. Um, you know, I think that's probably the, you know, what people think of very often. Uh, you know, certainly the next one would be firewalls. If you have a network within your office, you know, having even a, a modern, Small business, uh, or a lightweight enterprise router, you know, they're not terribly expensive, um, you know, that can protect against those network attacks, um, from outside.
And then, as we, many businesses, I mean, most organizations now are moving everything to the cloud, even if you don't think of it as moving it to the cloud, it is. So like Office 365 we talked about, you know, gone are the days where people are hosting servers in their closets. You know, the exchange email server in a closet here, um, you know, there, it's, it's in the cloud.
It's [00:53:00] Office 365 is being hosted for you. And then do you have controls within Office 365 turned on? Sometimes there's free, uh, you know, security settings that can be turned on. Sometimes they cost a little bit of money. Just kind of have to look at it, but maybe things like link detection. Right? Link verification.
So that, that link that gets put into the email that, uh, the, the user wants, or the hacker wants the user to click on does when the user click on it, does, you know, Outlook or Office 365 scan that link to say, Hey, it's a warning, this is bad, you know, it stops it in its tracks. Just like the antivirus stopped it on the, on the workstation link verification, link detection can, can do that, um, you know, right out of an email.
Um, we talked a little bit about it in training people, you know, that there are tools within Office 365, uh, you know, to, to, to send phishing emails, uh, to test people. Um, you know, from there, [00:54:00] uh, you know, for the average small business, if you don't have an internal, uh, IT, um, you know, person, considering, you know, having an outsourced IT provider that can come in and even if it's just on a part time consulting basis to help get some things set up, um, security around the email system, security around the endpoint, um, you know, the user's workstation, uh, and then any, um, locations where you have files, uh, and data, um, you know, having tools around that to make sure that, uh, that data is not being, uh, exfiltrated.

Mike Vannoy: Yeah. Right. Right. And you know, I mentioned it earlier, it goes without saying, whomever you choose to do payroll with, whether logging into QuickBooks or you're logging into Asure, uh, make sure that you have multi factor authentication. Can you to modern, what, what for folks who don't know what, what is, uh, multi factor [00:55:00] authentication and why is that so important?
Cause it kind of goes back to the top of the conversation around email hacking.

Joshua Gohman: sure. Yeah, so multi factor authentication is an additional step that a user has to go through during the login process. So we are all familiar with putting in our username and then entering our password and then getting into a system. Multi factor authentication or MFA is just adding an additional step.
It's sending a code to your cell phone. It's using a soft token app that generates a code on the app. It's sometimes getting a prompt through a push notification on your phone. It's basically that, um, out of band, uh, third step to the authentication process. Could also be, um, uh, you know, we see on our phones now Face ID, Fingerprint.
Uh, those are all forms of multi factor authentication. In fact, more and more, we're moving, um, the industry's moving away [00:56:00] from passwords and just going straight to that third step. Cause if the password is the weak link, uh, just skip that and go right to the, the, the real security step, which is that MFA factor.
But, you know, you mentioned MFA, we kind of hit on it in the beginning. I'm gonna hit it again here. Cause I think it's that important. Email, email, email, all of your email accounts, personal email, business email, et cetera. All should have MFA turned on because if a hacker can get in to that account, they can, um, get access to all of the other much more important, much more sensitive accounts that you may own.

Mike Vannoy: right, right. And I mean, almost all this stuff. happens digitally. But if you've got a, if you have a serious criminal that has a potential score of a lot of money, they might be all digital getting access to everything except for perhaps your cell phone, uh, [00:57:00] they need that cell phone to get the multi factor authentication.
I mean, the final knockout punch could be a physical crime, right? that you might not even be aware is related, Right. You get, You get, could be an assault. I don't want to be overly dramatic here. It could be a pickpocket,

Joshua Gohman: Could be.

Mike Vannoy: But, uh, uh, these guys are always one step, they're not, they're never one step ahead of Josh, but they're one and
two and three and five steps ahead of most of the rest of us, right?
They
get, and they're getting better at it every single day.

Joshua Gohman: Yeah. Definitely. I mean, yeah. The, uh, yeah. You know, it goes without saying, if you do have a cell phone, you know, most everybody does, you know, have a pin on it, have a password, um, you know, avoid the patterns or other kind of weaker, um, authentication measures, you know, face ID, fingerprint, those are all excellent, um, methods of securing your device.
If someone does gain physical access [00:58:00] to the device, it makes it very difficult, um, you know, to get into it. I guess, probably should go without saying. The timeout that you have, you know, some people will like to push that time out as long as possible. 30 minutes, you know, you kind of defeat the point of having the passcode on your phone.
If it's, you know, you have the time out at 30 minutes or whatever, but I also try to find something in the middle that's a little bit, um, less likely, uh, you know, to, to, um, create that gap in security.

Mike Vannoy: Josh, anything you would want to say in closing here?

Joshua Gohman: Yeah. I think I just want to reiterate what we started with. Nobody is too small to be hacked. You know, if you're not thinking about how systems will fail, the attackers already have figured out how it's going to fail. So it's, whether it's a gap in process or training and people thinking about how something will break is more important than thinking about how it goes, right?

Mike Vannoy: Yeah. Yeah. Well, well said. And [00:59:00] what I started with, I think we always, we, we naturally think cyber security.

Joshua Gohman: Yes,

Mike Vannoy: We think, Oh, this is tech. And then of course, won't trust the stranger walking, uh, in the building. And who's that person in the cleaning crew? I don't know them. It's, it's our own staff and it's us that are most vulnerable as business owners and managers of companies.
and the hack starts with phishing and email. And you're none the wiser. They're not, they're not, they're not hacking into the, the big payroll providers. They're not hacking into our systems and our data centers at, at Amazon, right? exactly right. they're hacking your email and that opens up Andorra's box.

Joshua Gohman: That's right.

Mike Vannoy: Josh, enjoyed our conversation. Thank you.

Joshua Gohman: Yeah. Fantastic. Thank you.

Mike Vannoy: And thanks to everybody for joining. If you got value from this conversation, if you liked it, I invite you to comment, share, and hopefully [01:00:00] subscribe. on YouTube or your podcast platform of choice until next week. Thanks again, Josh.

Outro: That's it for this episode of Mission to Grow. Thanks for joining us today. For show notes and more episodes, visit us at missiontogrow.com. If you found this content valuable, I invite you to share it with a friend and subscribe to the show. If you really want to help, I'd love it if you left a five star review on Apple Podcasts, YouTube, or wherever you listen.
Mission to Grow is sponsored by Asure. Asure helps more than 100, 000 businesses get access to capital, stay compliant, and develop the talent they need to grow. To learn more about how Asure can help your business grow, visit AsureSoftware.com. Until next time.

Creators and Guests

Mike Vannoy
Host
Mike Vannoy
Mike is a digital-first marketing executive with 25 years dedicated to helping HR companies thrive. As a board member of an AI software company and Chief Marketing Officer at Asure, he's been at the forefront of AI, HR compliance trends, and the changing demographics that shape today's marketplace. Under his leadership at Sales Engine Media, the company predominantly focused on the payroll, HR, and benefits industries, earning multiple spots on the Inc5000 list. Actively involved in multiple small businesses, Mike is a lifelong entrepreneur adept at navigating the changing workforce dynamics. He has held multiple executive roles at industry-leading HR firms, showcasing his expertise and leadership in the sector.
Top 5 Things Businesses Need to Know About Payroll Security - Mission to Grow: A Small Business Guide to Cash, Compliance, and the War for Talent - Episode #108
Broadcast by