Direct deposit problem stemmed from data breach: What went wrong?
Paying employees by direct deposit is convenient for all involved. But a recent court case is a reminder that funds could end up in cybercrooks’ bank accounts.
Cybercriminals will seek out any point of weakness. So, continually safeguarding systems and keeping employees informed is essential for businesses.
Here’s what went wrong for one employer, a healthcare entity.
Using employee self-service portal
The employer had a human resources information system (HRIS), which contained an employee self-service portal (ESSP). Employees accessed the portal to input data, such as bank account information for direct deposit purposes.
After a phishing email went out to hundreds of employees, the direct deposit problems surfaced. Scammers had been able to switch the bank account information of about a dozen employees, with the goal of fraudulently receiving their paychecks.
One employee, a doctor, got hit hard when her biweekly paycheck in the amount of $8,432.98 went into the cybercriminals’ account.
By stealing the username and password she needed to log in to the ESSP, they changed the financial institution that received her direct deposit on payday.
The hospital reported the incident to the FBI and its own bank.
But only a small portion of the doctor’s wages was recovered – $79.65.
The predicament led to a lawsuit, with the employee claiming the employer had violated the state’s wage payment laws. After all, she didn’t receive her wages on payday.
The Supreme Judicial Court of Maine agreed, ruling in the employee’s favor.
Setting up new hires for direct deposit
The employer had been diligent when it brought the doctor on board as a new hire.
For example, the hospital stressed to her that she should use caution with her username and password.
Plus, she had to sign a direct deposit authorization form, giving permission for her employer to deposit her wages into the bank account she designated.
You may take these steps and may have other practices such as asking new hires to fill out an electronic version on Form W-4.
One key to successful electronic interactions and protecting your HRIS? Verifying that you’re dealing with the employee and not a scammer. If an employee reaches out to you through one channel, you may decide to communicate through an alternative channel.
And remember, while properly setting up employees for direct deposit is important, so is having procedures in place for them to safely make changes.
Free Training & Resources
White Papers
Provided by Anaplan
White Papers
Provided by UJET
Further Reading
The rollercoaster ride continues as federal regulators reevaluate the current overtime rule and what it means to meet the salary level test...
The DOL has begun to roll out its Retirement Savings Lost and Found. It’ll be populated with information from plan sponsors and admin...
Ever since the Secure 2.0 Act laid out changes for workplace retirement plans, employers have been waiting for final regs from the IRS. ...
The Supreme Court has raised the standard on whether an employer can claim undue hardship in response to a religious accommodation request....
IRS told one employer that payments made to employees under its fixed-indemnity health insurance policy were subject to federal income, FIC...
One business that claimed a research tax credit ended up with a tax penalty instead. The company fought back in court, but the situation di...