Avoid common data scams with increased security features, protocols and training.
The IRS and the FBI report that there has been a 60% uptick in email phishing scams aimed at employers this tax season. Specifically payroll systems are a particularly attractive target for thieves trying to steal money or tax data. Official looking emails arrive in inboxes with links to malware
These email scams typically have links meant to have three general types:
1) Emails spoofing a company executive send to HR or Payroll personnel during year end and/or tax season
2) Email sent to Employees or to the company appearing to be official IRS correspondence
3) Emails sent to Employee appearing to be from payroll vendors.
A recent alert from The FBI Internet Crime Complaint Center (IC3) recently noted the new email scam, with emails appearing to be from payroll vendors. The FBI recommends that employers advise their employees to be on the lookout for e-mails requesting the employees update or confirm their payroll system login information and password using a link to what looks like the payroll system's website.
The link is actually to a spoofed site run by scammers. When the employee adds their information to the site, the thieves use the employees' login information and passwords to divert the employee's paycheck to a different bank account. This email scam is different because the the email looks legitimate and does not contain the grammatical errors commonly seen in some of the other phishing email scams.
Ways to protect employee and payroll data
Data security is a high priority for most businesses. No company is immune as seen by the increase of high profile data breaches that have occurred in recent years. But protecting business data is complicated. Putting in security protocols and anti virus and malware detection is important. But equally or not more important is to communicate and train employees about scams and general email security. The IRS notes, "The most common way for cybercriminals to steal money, bank account information, passwords, credit card or Social Security numbers is to simply ask for them." So it is critical that employee training and communication be a core piece of your security protocols.
Some best practices to avoid phishing email breaches include:
- Assign a company representative to routinely monitor the IRS and FBI websites for scams
- Make a policy to communicate regularly with employees
- Encourage employees to scrutinize email communications
- Avoid clicking hyperlinks and attachments
- Watch for emails that have grammatical mistakes
- Ask employees to escalate potential risky messages to a centralized person or department.
- Implement security software to protect against malware and viruses found in phishing emails.
OnePoint Login Security Features:
Since many email phishing scams target employee login and password data, having login security features built into your HCM platform adds an extra layer of protection to against unauthorized access to employee and payroll data. OnePoint offers a high standard of security measures login protocols for clients to safeguard their workforce data including:
Strong Password Requirement
Experts recommend the use of a passphrase, instead of a password, using a mix of letters, numbers and special characters. OnePoint requires user passwords to be a minimum of 8 Alphanumeric characters, with at least one uppercase letter, at least one number, at least one special character.
Multi-factor authentication or 2 Factor Authentication (2FA)
This security feature pairs the user login and password with a trusted secondary device that is linked to the account, usually a mobile device. This login level security feature means that even if a user login and password is stolen, the thieves do not have the mobile device connected to the account to complete the login process.
Text code:
The system login is paired with a code that is texted to a secondary device or system like text message or email.
Google Authenticator:
This 2 factor authentication app can be downloaded to a mobile device then linked to the user account. After logging into OnePoint the user is prompted to enter a code provided through the google authenticator app.
Biometric (Face/Fingerprint) Login
Biometric technology has become the standard for verifying an employee’s identity in the workplace. The rise of mobile enabled platforms provide new opportunities to leverage device security with login to other systems. The OnePoint platform allows for both fingerprint recognition and facial recognition for user logging from a mobile device. This biometric authentication pairs the login and password with the biometric security on a trusted mobile device.
Industry-standard password hashing algorithms
The database does not store secure passwords in clear text.
IP address restriction capabilities
IP addresses of trusted devices can be stored. If a login is attempted from a IP address of an unknown device, an authentication process is triggered.
Multi-faceted security profiles
Using role-based functional and data access rights for supervisors and employees limits access that any one individual has to others or groups of employee users.
Contact OnePoint or your service representative to learn more about our security features and enable one of our multi-factor security protocols for added data protection.
Additional Data Security Best Practices:
Employees Are Key to Curbing Data-Breach Risks, SHRM Online, November 2018
6 Ways HR Can Help Prevent a Data Breach, SHRM Online, March 2018