Over the past year, the FBI, the IRS and numerous security analysts have warned of a marked rise in cyber attacks targeting human resources professionals. Given the type of information under HR’s control, it’s a wonder that such attacks are only a fairly recent phenomenon.
In most organizations, HR staffers have access to a wide range of sensitive personal and professional information about employees. This includes Social Security numbers, wage and tax records, bank account numbers, healthcare data, insurance forms, background checks, and personal contact information. From a hacker’s perspective, HR truly holds the keys to the kingdom.
One way that organizations can improve the privacy of this sensitive information is by reducing their dependency on paper-based processes. With an internal online portal, HR organizations can leverage layers of security measures such as anti-malware, password managers, access controls, encryption and more.
Payroll, Tax Data Targeted
Such precautions have become essential due to increasing threats. Verizon's 2018 Data Breach Investigations Report (DBIR) revealed a roughly 180 percent increase in attacks targeting HR departments. In most cases, criminals are seeking employees’ W-2 information in an effort to get wage and tax data they can use to commit tax fraud and divert tax rebates.
In December 2018, the IRS warned businesses of the growing wave of phishing attacks designed to steal W-2 information. IRS officials said identity thieves use stolen Employer Identification Numbers (EINs) to create fake W-2 forms to be filed with fraudulent tax returns. Fraudsters also used EINs to open new lines of credit or obtain credit cards.
A few months earlier, the FBI warned of an uptick in attacks targeting online payroll accounts. Using phishing emails, criminals persuade employees to “confirm” login credentials. Once they gain access to the account, fraudsters typically redirect payroll deposits to a prepaid card and change account settings to prevent the employee from receiving alerts regarding these changes.
More recently, security analysts have identified a rise in a similar type of attack designed to trick HR staffers into making payroll account changes. It is a new variation of business email compromise (BEC) fraud, in which crooks utilize spoofed email to assume the identity of company executives. In this type of scam, the fraudster poses as an employee in an attempt to persuade HR to change the routing information used for direct deposits.
One reason these scams work is because so much employee information is stored on paper. In one recent survey, 65 percent of organizations reported that their HR information is still managed using paper documents stored in filing cabinets. Since it isn’t typically readily available, employees frequently call or email HR staff to request sensitive information. Given the volume of such requests, it isn’t hard for a spoofed email or phishing scam to go undetected.
Leveraging the Security Infrastructure
HR portals help diminish this threat by digitizing sensitive data and providing self-service tools that reduce the need for phone and email requests. In addition, data, documents and forms stored within the portal gain the protection of the organization’s overall IT security infrastructure.
HR portals can also leverage advanced access control features and password management tools to help ensure that employees, managers and contractors can only see the information they are allowed to see. An administrator can establish file and page permissions based on job title, department, geographic location or other factors from the portal’s management dashboard.
Another benefit of the management dashboard is the ability to quickly and easy disable network, email and account access when employees leave the organization. According to one study, perhaps 20 percent of data breaches are perpetrated by ex-employees.
Given the value of the information HR organizations handle, they can expect to see increasingly frequent and sophisticated attacks. To deal with these threats, HR professionals must adhere to security best practices and continually engage in employee education efforts. Shifting from paper-based processes to an HR portal will give them access to the very best security tools available.
Written and composed by Lyndsay Soprano, Director of Marketing