Skip to main content

Payroll & Tax Fraud

TL;DR
  • Payroll fraud goes far beyond the BEC payroll redirect scam - it includes payroll processor account takeover, W2 data theft, ghost employees, 1099 manipulation, and tax withholding fraud
  • A single W2 breach compromises every employee's Social Security number, address, and income - fueling fraudulent tax returns at scale
  • Payroll processor ATO (someone takes over your Gusto/ADP/Paychex admin account) is the highest-impact attack because it gives access to banking, tax data, and employee PII simultaneously
  • Prevention requires MFA on your payroll platform, separation of duties, dual approval for banking changes, and quarterly payroll audits - most SMBs have none of these
Prerequisites

Before reading this page, understand:

  • BEC & Phishing - Covers payroll redirect (impersonating an employee to change direct deposit); this page covers everything else
  • Account Takeover - ATO concepts apply directly to payroll platform compromise
  • Fraud types overview - Where payroll fraud fits in the taxonomy
On this page

Most SMBs think "payroll fraud" means someone impersonating an employee to redirect a direct deposit. That's real, and it's covered on the BEC & Phishing page. But the payroll fraud landscape is much broader - and the other attack types are often more damaging. When someone takes over your payroll platform admin account, they don't just redirect one paycheck. They get access to every employee's SSN, every bank account on file, and the ability to create entirely fictitious people on your payroll. This page covers the attacks that most SMBs aren't thinking about.

How This Differs from BEC Payroll Redirect

The BEC payroll redirect is one specific social engineering attack. It's the tip of the iceberg. Here's how the broader payroll fraud landscape compares:

AttackVectorTargetImpactDetection Difficulty
BEC payroll redirectEmail impersonation of employeeHR/payroll staffSingle paycheck redirected ($3K-$15K)Low - employee reports missing pay
Payroll processor ATOCredential theft/phishing of adminGusto/ADP/Paychex accountFull access to all employee data, banking, tax infoMedium - changes may look legitimate
W2 data theftPlatform breach or insider accessEmployee tax recordsMass identity theft, fraudulent tax returnsHigh - often not detected until tax season
Ghost employee schemeInsider creates fictitious workersPayroll itselfOngoing theft per pay periodHigh - requires payroll-to-HR reconciliation
1099 manipulationInsider or ATOContractor paymentsDiverted payments, false deductionsHigh - contractors may not notice for months
Tax withholding fraudATO or insiderWithholding settingsRedirected tax payments, employee tax debtVery high - surfaces at year-end filing

Key distinction: BEC payroll redirect exploits your people through social engineering. The attacks on this page exploit your systems, processes, and platform access. They require different defenses.

Payroll Processor Account Takeover

This is the highest-impact payroll attack for SMBs. If someone compromises your admin account on Gusto, ADP, Paychex, or whatever payroll platform you use, they have the keys to everything.

How They Get In

  • Credential phishing - Fake login page for your payroll platform (the most common method)
  • Credential stuffing - Your admin reused a password from a breached site
  • Session hijacking - Malware on the admin's device captures an active session
  • Social engineering the platform - Calling Gusto/ADP support pretending to be you

What They Do Once In

Once an attacker has admin access to your payroll platform, they can:

  1. Change employee bank accounts - Redirect direct deposits for multiple employees simultaneously
  2. Add ghost employees - Create fictitious workers and route their pay to attacker-controlled accounts
  3. Export W2/tax data - Download SSNs, addresses, and income data for every employee (current and former)
  4. Modify tax withholdings - Change federal/state withholding to maximize take-home pay they're stealing
  5. Change company banking - Redirect the funding source or modify the company's own bank account on file
  6. Add themselves as admin - Create a backdoor account for persistent access

Why this is worse than BEC: A BEC payroll redirect gets one paycheck. Payroll processor ATO gets everything - and the attacker can maintain access for weeks before anyone notices.

Real-World Pattern

The typical attack plays out over 3-7 days:

  • Day 1: Attacker gains admin access, immediately exports employee data (SSNs, addresses)
  • Day 2-3: Makes small changes to test (one bank account update, one withholding change)
  • Day 4-5: If undetected, adds ghost employees or changes multiple bank accounts before the next pay run
  • Day 6-7: Pay run executes with fraudulent changes; attacker removes their access or creates a hidden admin account

W2 & Tax Data Theft

W2 theft has a distinct seasonal pattern. Attacks spike between January and April - tax filing season - because stolen W2 data is immediately monetizable through fraudulent tax returns.

Why W2 Data Is So Valuable

A single W2 contains everything needed for identity theft:

  • Full legal name and SSN
  • Home address
  • Total income (needed to file a convincing fake return)
  • Employer EIN (makes the fake return look legitimate to the IRS)

One breach = every employee compromised. If your payroll platform is breached or an insider exports W2 data, every current and former employee in the system is at risk.

How Stolen W2 Data Gets Used

  1. Fraudulent tax returns - Filed early in tax season before the real employee files; average fraudulent refund is $5,000-$8,000 per return
  2. Identity theft - SSN + income data enables credit applications, loan fraud, and synthetic identity creation
  3. Sold on dark web - Complete W2 records sell for $20-$50 each; a company with 50 employees represents $1,000-$2,500 in immediate resale value

Seasonal Defense Calendar

MonthAction
NovemberAudit payroll platform access; remove former employees and unnecessary admins
DecemberEnable MFA on all payroll accounts; verify admin contact info
JanuaryLock down W2 generation; restrict who can view/download
February-AprilMonitor for unusual data exports; watch for employee reports of rejected tax returns
Year-roundQuarterly access reviews; log monitoring

Ghost Employee & 1099 Schemes

Ghost employee fraud is almost always an insider threat. Someone with payroll access creates fictitious employees or contractors and routes their pay to accounts they control.

Ghost Employee Red Flags

  • Employee has no corresponding record in HR system (payroll-only entry)
  • Same bank account used for multiple employees
  • Employee address matches another employee or the payroll admin
  • No benefits enrollment, no training records, no badge/access card
  • Round-number salaries or wages that don't match pay grades
  • Employee was "hired" by the same person who runs payroll

1099 Contractor Manipulation

Fictitious contractors are harder to detect than ghost employees because contractors don't go through the same onboarding:

  • Fake contractors - Created to siphon payments; often use real-sounding business names
  • Inflated invoices - Real contractor, but amounts are padded with kickbacks to the approver
  • Duplicate payments - Same invoice submitted and paid twice, with the second payment going to a different account

Detection Approach

CheckFrequencyWhat You're Looking For
Payroll-to-HR reconciliationMonthlyEmployees on payroll but not in HR system
Bank account duplication scanEach pay runMultiple employees sharing a bank account
Address matchingQuarterlyEmployee addresses matching admin or each other
1099 vendor verificationQuarterlyContractors with no contract, no deliverables, no contact info
Payroll variance analysisEach pay runUnexplained increases in total payroll amount

Tax Withholding Manipulation

This is the quietest payroll fraud - it can go undetected for an entire tax year.

How It Works

  • Reducing withholdings - Attacker changes W4 elections to claim maximum exemptions, increasing take-home pay on diverted checks
  • Redirecting tax payments - In platforms that allow manual tax payment configuration, attacker redirects employer tax deposits
  • Manipulating employer contributions - Changing 401(k) match settings, HSA contributions, or other pre-tax deductions

Why It's Hard to Detect

Withholding changes look like normal employee self-service activity. An employee can legitimately update their W4 at any time. The fraud only becomes apparent when:

  • Employees get unexpected tax bills at year-end
  • Quarterly tax deposits don't match expected amounts
  • Year-end W2 amounts don't reconcile with payroll records

Prevention Controls

Platform Security

ControlWhy It Matters
MFA on all payroll accountsBlocks credential stuffing and most phishing attacks
Role-based accessNot everyone needs admin; most need view-only or self-service
IP allowlistingRestrict admin access to office network or VPN
Session timeout15-minute idle timeout for payroll admin sessions
Audit loggingEvery change logged with who, what, when, and from where

Process Controls

ControlWhy It Matters
Separation of dutiesPerson who adds employees should not be the person who approves payroll
Dual approval for banking changesAny bank account change requires a second approver
48-hour lock before pay runNo changes allowed within 48 hours of payroll processing
Quarterly payroll auditReconcile payroll roster against HR records, verify all bank accounts
Annual W2 access reviewRestrict who can generate, view, or download W2s

Monitoring

SignalResponse
New admin account createdVerify immediately with company owner
Bulk data export (W2s, employee list)Confirm business purpose within 1 hour
Multiple bank account changes before pay runHold payroll; verify each change
New employee added without HR ticketFreeze until HR confirms
Withholding changes for multiple employees simultaneouslyReview each change individually

If You're Compromised

If you discover unauthorized access to your payroll platform or suspect payroll fraud, follow these steps in order:

Immediate (First 2 Hours)

  1. Lock the payroll platform - Change admin passwords, revoke all active sessions, disable any suspicious admin accounts
  2. Hold the next pay run - Do not process payroll until you've verified all settings
  3. Preserve evidence - Screenshot or export audit logs before making changes; note the timeline of unauthorized access

Within 24 Hours

  1. Notify affected employees - Tell them their personal data (SSN, bank info) may be compromised; be direct about what was exposed
  2. Advise employees to file IRS Form 14039 (Identity Theft Affidavit) - This flags their SSN with the IRS so fraudulent returns get scrutinized
  3. File a police report - You'll need this for insurance claims and regulatory compliance

Within 72 Hours

  1. Notify your state Attorney General - Most states require breach notification within 30-72 days; check your state's specific requirements
  2. Contact the IRS - If W2 data was exposed, email dataloss@irs.gov with "W2 Data Loss" in the subject line
  3. Offer credit monitoring - Industry standard is 12-24 months of free credit monitoring for affected employees
  4. Audit every payroll change - Go back through 90 days of changes and verify each one against legitimate requests

Ongoing

  1. Rebuild platform security - New admin accounts, MFA enforced, IP restrictions, reduced access levels
  2. Document everything - Maintain a timeline for law enforcement, insurance, and potential litigation
  3. Consider a forensic investigation - If the breach involved platform-level compromise, your payroll provider should be involved

Next Steps

Securing your payroll platform?

  1. Enable MFA on every payroll admin account today - this blocks the majority of ATO attacks
  2. Set up dual approval for bank account changes - prevents single-point-of-failure fraud
  3. Schedule your first quarterly payroll-to-HR reconciliation - catches ghost employees

Worried about tax season exposure?

  1. Lock down W2 access before January - restrict generation and download to one named individual
  2. Review the BEC & Phishing page for email-based payroll redirect prevention
  3. Set up audit alerts for bulk data exports from your payroll platform

Already dealing with a breach?

  1. Follow the If You're Compromised playbook above - platform lockdown first
  2. Read the Survive a Fraud Attack playbook for broader incident response
  3. Check the Business Banking ATO page if banking credentials were also exposed
Last updated on