The ‘Cash For Credentials’ Payroll Threat

Workers are being offered cash to share their login credentials for their employer accounts, not by hackers, but by data aggregators seeking to provide industry insights to their clients.

Data is the new gold and there is no shortage of prospectors who don’t exactly follow the rules. In May 2021 it was reported* that financial companies in the US have been targeting gig workers with financial payments to hand over their payroll account username and password.

They’re not looking to hack into your payroll, they just want salary data, so they can:

  • Have visibility at scale of pay rates in different roles across various industries
  • Bolster their data broker services
  • Develop tools to provide a single point of access for workers with multiple employers
  • Help credit providers verify an applicant’s income.

Whilst this seems to be emerging predominantly in the gig worker market, the value of payroll data means it’s possible this phishing practise will spill over into the general labour hire market.

Balancing Access vs. Security
There is a risk that if candidates and employees have remote access to payroll software, individuals could be tempted to provide credentials for financial gain, and compromise the integrity of your payroll system.

But where does that leave the time-saving benefits of employee self-service? We have some suggestions for ways to improve payroll security in the face of this new kind of phishing, which doesn’t cut off your employees from their own data:

Actions to prevent third parties mining your payroll data:

  1. Ensure policy and employment contracts (for both internal and candidate workers) specifically reference your company’s provided credentials and the appropriate way to keep these secure.
  2. Consider a disciplinary response in the event credentials are shared.
  3. Consider what additional controls can be implemented to better protect user credentials for payroll inquiries.
  4. Consider how you can assist employees who need access to payroll data to support other services they engage with, such as credit applications.

*See article on Vice.com

Read on: Jacqui Birch, Aurion BPOS payroll expert, discusses how processes and tools can enable payroll fraud in our blog, Fraud Proof Payroll – for Payroll Teams, where you can also download the Aurion Guide to Fraud-Proof Payroll to identify your vulnerabilities & implement prevention strategies.