Expert insights on payroll data and tax scams by 2025
As scams become more common, it is important for companies to protect sensitive data and stay compliant with regulations to better secure their payroll processes and reduce risks. He said that cybercriminals use more sophisticated tools, such as artificial intelligence (AI), to carry out complex phishing and identity theft scams targeting business communication and payroll systems. Despite these advancements, basic security measures like multi-factor authentication remain crucial in preventing such attacks.
Vulnerabilities for payroll during tax season
Steinhauer explained that payroll departments are particularly vulnerable to scams and phishing attacks due to their involvement in money transfers and changes to employee accounting information. He noted that during the tax season, the volume of communications with employees increases, making it easier for attackers to exploit this busy period.
“
may be dealing with a lot of communications with employees during tax time if employees have questions or are asking for copies of documents or Forms W-2…or even updating…their W-4s,” Steinhauer started. He added that cybercriminals exploit the busy payroll and tax season by inserting themselves into the communication flow, taking advantage of the heightened activity and exchange of information during this period.
Techniques used by cybercriminals
Some common tactics include phishing emails and impostor emails, where attackers pose as employees or vendors to request changes to deposit information or sensitive data. Steinhauer stressed that business email compromise (BEC) is also a significant threat, where attackers use compromised email accounts or create look-alike email addresses to insert fraudulent requests into legitimate email threads.[Payroll professionals]”So,
types of scams are very dangerous because they’re exploiting the trust that’s built into somebody’s contact on email, which is a super common way of communicating, obviously in today’s business world,” he noted.
Steinhauer added that although this can be difficult to detect, implementing out-of-band confirmation processes and training employees to recognize suspicious emails can help mitigate the risk.
Other methods include SMS phishing (smishing) and spear phishing, targeting payroll personnel with text messages or highly targeted emails to reroute money or disclose sensitive information. Additionally, attackers are using AI to enhance phishing tactics, such as finding phishing domains, setting up fraudulent web pages, and crafting convincing emails.[these]”So in addition to those two or three threats, we see AI playing a part in those where it can help attackers find available phishing domains…set up fraudulent web pages that collect sensitive data…craft more convincing phishing emails…
proofread and rewrite emails for proper grammar and spelling,” Steinhauer remarked.
Despite these advancements, he noted that traditional security measures remain effective in mitigating these threats.
Growing scale and sophistication of cybercrime[and]Cybercriminal tactics are evolving and becoming more sophisticated, leading to a higher volume of attacks that are harder to detect. Steinhauer stated that these attacks are not carried out by lone hackers but rather large groups of specialized hackers who operate on a global level. He noted that these groups function like businesses, with coordinated efforts and structured operations.
“The business of cybercrime continues to grow every year,” Steinhauer began. “It’s all getting higher volume and they’re now starting to use AI to…make these things better, faster, cheaper, and higher amounts of everything.”
Best practices for protecting sensitive payroll data
To enhance payroll security, Steinhauer explained that businesses can implement both technical tools and human-related training. On the technical side, email clients can flag first-time messages from unknown senders, and AI can detect common scam methods.
He said that encryption for data at rest and in transit, multi-factor authentication (MFA), and monitoring unusual activity are essential security measures.
Steinhauer added that “payroll and accounting people
a highly targeted group of individuals
the front line defense of
organization” who should be empowered “to make decisions and to report unusual activity” by establishing “a culture of security” that involves IT and security teams “when they see something that’s wrong.”[are]Training for employees to recognize and avoid payroll-related tax scams[on]For human training, Steinhauer stressed well-documented processes for approving changes. Employees should be unable to change direct deposit details via email. Additional verification steps such as phone calls and in-person ID checks are required. He added that an integrated security program combining technical controls and human awareness is vital for protecting payroll and other business data.[an]Retrospective meetings for security improvement
Just as payroll departments conduct year-end retrospectives to evaluate their processes, Steinhauer advised companies to hold regular meetings to assess data security threats. These meetings provide departments with the opportunity to reflect on their past challenges and successes and plan improvements. He emphasized that including security teams in these discussions ensures that security concerns are addressed and that departments are aware of potential threats.
Pre-season security huddles
Before busy periods, such as tax season, Steinhauer also suggested companies hold pre-season huddles. He said that a pre-season huddle could be a good opportunity to present current threats and best practices for employees to stay vigilant. He noted that this initiative-taking approach ensures everyone is prepared for potential security issues, “especially for in-person organizations.”[are]Proactive involvement of company departments[on]Steinhauer encouraged departments like payroll, HR, and accounts payable to engage with security teams to raise concerns and ask questions that helps tailor training and protection efforts to the specific needs of each department. “I think security teams and groups love to see folks raising their hands and asking questions and being inquisitive,” he said.[an]He added that this collaboration ensures employees understand the importance of security measures.
Connecting end users with security teams
Building strong connections between end users and security teams is important. Steinhauer acknowledged that these groups often operate in silos. However, regular communication allows both sides to understand each other’s issues. End users gain a better understanding of security controls, while security teams learn about the daily operations and needs of employees.
“And I think that a lot of folks will find that having a good relationship with your security team, and for the security team to have a good relationship with the users, really helps foster that culture of security,” Steinhauer emphasized.
The role of AI in enhancing payroll data security
Advanced technology, including AI, can play a key role in enhancing payroll data security. Steinhauer explained how detection tools analyze user interaction to determine what constitutes normal behavior and alert on abnormal behaviors. AI can detect unusual login patterns such as users logging in at odd times or from different locations. Steinhauer said that this helps identify AI generated or phishing material by looking for language which creates urgency or differs from company norms. Secure email tools can additionally use AI to block known phishing messages automatically.
Additionally, AI can enhance traditional security measures, making them more efficient. Steinhauer said it helps in identifying and blocking malicious activities faster than legacy tools.
Importance of basic cybersecurity protections
Although AI offers more tools to help detect tax scams and protect sensitive business data, Steinhauer highlighted the need for broader implementation of basic cybersecurity protections. He stressed that MFA was crucial and that everyone should adopt it to reduce cyber-attacks. Steinhauer cited a NCA report that showed that despite MFA’s effectiveness, 36% of users do not use it. Users reuse passwords on different websites, increasing the risk of breaches. Steinhauer encouraged more discussions about these practices and nudges to encourage them. Steinhauer said that if there was more discussion and nudging to encourage people to do these two things, it would help prevent a lot more breaches.
