The healthcare industry is no stranger to scams and cyberattacks, and payroll phishing scams are among them. Ransomware attacks account for 70% of successful security attacks, but the main method that launches an attack is a phishing scam. According to estimates, 79% to 91% of cyberattacks start as phishing scams.
The average breach cost is nearly $11 million for healthcare organizations, leading to potentially devastating financial losses. Protecting healthcare operations is essential for employee and patient data security and economic stability.
Understanding Payroll Phishing Scams
Phishing scams go hand in hand with spoofing tactics. In spoofing, a scammer disguises an email address, website, or sender name to convince you that you’re interacting with a trusted source or using a credible website. It usually involves changing one letter in the URL or email to look similar.
Phishing scams use these techniques to lure you in and trick you into divulging sensitive information. Popular scams include impersonation, direct deposit, and wire transfer tactics, which can lead to financial losses and breaches in employee and patient data.
Impersonation Tactics
Impersonation phishing happens when a scammer pretends to be a person of authority in (or connected to) your organization. It usually starts with an email requesting that you update your credentials or authorize payment via a specific link.
When you click on the link, you are taken to a spoofed website that also appears legitimate. The scammer asks you to enter your ID and passwords, banking information, or other sensitive data and then gains access to your information.
Direct Deposit Scams
Direct deposit scams also involve impersonation tactics. The scammer emails someone in the payroll department to request a change to direct deposit information for their next paycheck.
The email appears to come from an actual employee, though the address is usually wrong, or the sender’s name may have a slight spelling error. If the HR or payroll staff make the change without confirming who they are in contact with, the employee’s wages may be deposited directly into a scammer’s account.
Wire Transfer Scams Impacting Payroll
Wire transfer phishing is similar to direct deposit scams but usually involves impersonating a senior leader in the organization. The scammer sends an email requesting the healthcare payroll team send a wire transfer to a familiar vendor, such as a payroll processing company.
The email looks legitimate, as if it’s coming from an employee or supervisor, and may even involve a familiar request style. However, the request is fake, and completing the wire transfer means diverting company funds directly to a scammer.
Financial Losses for Organizations
As you can imagine, phishing scams lead to enormous financial losses for organizations. A Hong Kong firm made global headlines in the spring of 2024 after an alarming deepfake phishing incident led to a clerk accidentally transferring roughly $22 million to a scammer.
The scammer invited the employee to a video conference call and used AI to impersonate a senior leader while also creating what looked like other real people in the organization. The clerk transferred the funds into five different accounts, leading to millions of dollars in losses.
Risks to Employee and Patient Data
Unfortunately, phishing scams are common in the healthcare industry and frequently jeopardize employee and patient data. A medical group, for example, experienced a recent phishing attack that exposed the protected health information of roughly 34,000 patients.
The phishing attack helped a scammer access an email account, exposing sensitive medical information. Unfortunately, the incident led to a penalty payment of $480,000 to the Office of Civil Rights.
Recognizing Payroll Phishing Scams
Scams are becoming more complex, as in the case of the deepfake phishing incident. But, with some training and awareness of common signs and red flags, your employees can learn to spot potentially compromising emails.
Signs and Red Flags
The best scams closely mimic your regular payroll communications, so everything appears routine. Careful attention to detail can help your team spot unusual or questionable emails, voice calls, and even chat or text messages.
The most common signs of a phishing scam are as follows:
- Grammatical and spelling mistakes: Errors in the sender’s name, brand, website, or other key details, as well as poor grammar in the email body.
- Unknown email addresses: A message may come from an unusual or public email address or a non-corporate email address you don’t recognize. It may also be formatted differently than is usual for your company.
- A mismatch between name and email address: Look for a slight variation between the name and email. A sender’s name might be Jane Smith while their email address shows as [email protected].
- A false sense of urgency: Email content and subject lines that require you to complete a request immediately or the company will face a consequence should be investigated further before action is taken.
- Domain name changes: These can be subtle or blatant changes. The slight variations are more difficult to notice. For example, healthfacility.com might become heathfacility.com.
Examples of Phishing Email Formats Targeting Payroll Professionals
Phishing emails seem like normal requests or alerts and can easily deceive professionals. However, they don’t hold up on closer examination.
A phishing email may look like this:
From: Admin [[email protected]]
Re: Payroll notification
You have an important update about your payroll schedule.
Click here to read.
Thank you,
Brand Name Payroll Admin
Or you might receive a direct deposit change request:
From: Erin [[email protected]]
Re: Direct deposit change
Hello,
I recently changed banks and would like to have my direct deposit changed to my new account . Can I have it changed asap for the current pay schedule?
Regards.
The spelling mistakes, grammatical errors, mismatched names and email addresses, and the immediate change request are all red flags.
Preventing Payroll Fraud
About 61% of data breaches happen because of negligent employees, though these incidents are generally unintentional. Employees may not receive training or don’t consider factors that could lead to a severe breach, such as having unlimited access to the organization’s files.
As scams and techniques become more advanced, it’s essential to stay ahead with security precautions, staff education, and training.
Security Precautions for Organizations
Some of the best precautions are generally good practices for any organization. These techniques prevent general fraud within the organization and may prevent one individual from mistakenly authorizing payments or transferring large sums to a scammer.
For instance, set up practices and policies that limit permissions or authority.
- Separate payroll functions from HR duties.
- Separate accounts payable duties from payroll duties.
- Require multi-step authorizations for payments over a certain amount.
- Require in-person or phone call confirmation of any change or request to sensitive information for funds or payments.
Additional tech precautions can also enhance security within your organization, including:
- Security software to defend against viruses, malware, and phishing
- Assigning unique login credentials for payroll software that aren’t used elsewhere
- Adopting two-factor authentication for employer self-service platforms
Staff Education and Training for Payroll Professionals
Security and procedural training should happen during staff onboarding so that professionals know and follow the processing and security protocols. However, additional security and scam awareness training may boost vigilance. An annual mandatory refresher course or video training sequence can do the trick.
At the very least, instruct your employees on the security basics.
Never send passwords or banking information in an email.
Don’t click on links in unsolicited emails that request passwords, credentials, or verifications.
Don’t click on pop-up ads or attachments in unusual or unsolicited emails.
Don’t click on pop-up ads or attachments in unusual or unsolicited emails.
Report suspicious emails to IT and your HR department.
Confirm all payroll requests.
Reporting Phishing Emails in Healthcare Payroll
Reporting scams is essential to security and compliance. The sooner IT knows about a problem, the sooner they can reduce risks and further data loss. In addition, organizations may have to report the incident if it leads to a data breach or leak.
The Department of Health and Human Services (HHS) governs HIPAA enforcement. Under the law, organizations must report a breach to HHS if it affects the protected health information of more than 500 individuals.
Each state has individual regulations regarding data breaches of personal information and mandatory reporting. Your organization will also need to report any data theft to the police and may need to involve legal counsel to safeguard compliance and legal interests.
Importance of Payroll Processing Security in Healthcare
Payroll security is essential in healthcare. The HR and payroll departments handle sensitive information daily, and accidentally granting scammers access can have a devastating effect on your staff, patients, and your organization as a whole.
Your payroll solutions and security programs matter. That’s why Empeon prioritizes security with advanced protocols, including encryption, digital certificates, and password protection.
To safeguard data, Empeon limits user permissions and sets advanced password and login restrictions. Take a free, self-guided tour and see our platform in action.
