Okay, so we’re a little late to the party regarding sharing this article. However, we know that many umbrella company representatives visit our website for helpful information and we have decided it would be irresponsible of us not to share this very informative article. Written by the team at My Digital, leading umbrella software providers, the article explains the best ways to protect your payroll business from the most common types of cybersecurity threats. The umbrella company industry has recently been hit hard by cyber security attacks. Several industry-leading umbrella companies have been forced to stop operations due to cyber-attacks temporarily. Therefore, this topic has never been so relevant. Keep reading – it’s essential!
Towards the end of last year, John Morris, Chief Technology Officer at My Digital, wrote an article called Cyber Security Advice Every Payroll Business Needs Right Now: Beware of Social Engineering – and we think it’s brilliant. As a result, we’ve shared the article below for our readers, and we hope you hope you find it equally helpful at this stressful time in the umbrella company and payroll sector.
We’ve shared the original article published in November 2021 because it has some extremely valuable advice and is still very relevant. We hope you agree!
——– Article below originally written by John Morris at My Digital ——–
Cyber Security Advice Every Payroll Business Needs Right Now: Beware of Social Engineering
Pro advice on how to defend your payroll business from the most common cybersecurity threat
In recent times, we are seeing an increasing cyber security crisis in the temporary workforce market. The criminals raise their interest in companies processing vast amounts of payments and then try to intercept these or steal personal data. Unfortunately, umbrella companies, recruitment businesses and other payroll intermediaries perfectly fit this description.
Hi there, I’m John Morris, CTO at My Digital. In this post I want to help you become more aware about the most common cyber security threat out there – social engineering. I will tell you exactly what it is and how you can take some basic precautions that will help you and your company stay safe.
Ready? Fasten your seatbelts and let’s go.
In social engineering attacks, bad actors use various methods of psychological manipulation to trick users into making security mistakes or giving away sensitive information that is then used to either steal information from companies or extract money. Social media accounts, ‘innocent’ phone calls and malicious links in emails are the main sources of executing social engineering attacks.
Some common social engineering attacks and what you can do
Phishing
The most common of attacks. Emails sent that look like they are from a legitimate source. For example your bank, a client, Microsoft 365. Typically they will alert you that there has been some kind of issue and you need to login to resolve. Of course the login page is not what it seems and is cloned from the main site and is used to harvest login credentials. Typically sites will then forward you on to the legitimate login page where you think there must be “IT gremlins” and you then log in without issue and don’t think anything else of it.
There are a few things you can do to reduce the chances of falling victim to these attacks. Firstly, if an email comes out of the blue without you requesting a password reset, or some kind of activity that may lead to an email, then you should verify the sender. Check the email address in the from field, does it look legit? Hover over any hyperlinks, are they going to the proper websites? If in doubt, always access websites containing sensitive or financial information from bookmarked URLs that you know are real. Secondly, if the website offers it, always use Multi Factor Authentication (MFA) to back up your password. Then even if someone has your username and password they have another obstacle to overcome. If MFA is not available always use a strong unique password that you store in a password vault and rotate on a periodic basis.
Smishing
Smishing is very similar to the above but takes place via SMS message. The most common over the last few years are delivery companies and banks but you also see it around year end with gov.uk messages asking you to check tax codes etc.
Pretexting
This is where an attacker uses knowledge gained on social media to send emails pretending to be someone senior in the company. Typically attackers will use LinkedIn to get CEO/MD/CFO/Finance Director details and email junior members of staff asking them urgently to transfer some money, or more commonly get the victim to purchase Apple or Amazon vouchers and send them to the gift codes.
In all scenarios there are a few common steps you should take
- Verify – Always do what you can to verify the details of the sender/caller.
- Ask someone else – If you are unsure, ask someone else’s opinion.
- Practice good password hygiene – Never reuse passwords. Use a password manager to create strong unique passwords. Use Multi Factor Authentication (MFA) where possible. Avoid the use of pet’s names, child’s names or anything you post about on social media (and yes – even if you use 01! At the end)
- Be alert – Cyber-attacks are not going away and there is no foolproof way of stopping them. Above all your best defence is for all staff to be alert and report any suspicious activity.
A good start for upping your cyber security measures is getting a business password vault. This will help you and your staff safely store and manage your business logins and passwords, consequently minimising the risk of them getting leaked or intercepted by the criminals. TechRadar did a decent rundown of some available solutions, I encourage you to have a look at them.
If you have any questions in regards to cyber security in your payroll business, feel free to reach out to me on LinkedIn.
——– End of article ——–
Hopefully, the above has helped you in your quest into protecting your umbrella company and payroll business from cyber security threats and hackers. If you have any questions, please do get in contact with John Morris. We’re confident he’ll be delighted to assist you!
Why is cyber security more important than ever before?
Cybercriminals and illegal online attacks have targeted leading UK-based umbrella companies and contractor accountants. Initially, Giant Pay was struck by suspicious activity, which caused havoc to their network and operations (September 2021). However, since then, other significant players in the sector have been hit, including Brookson, SJD Accountancy, Parasol and Nixon Williams. More information on each of these attacks is available in the articles below.
- Giant Pay temporarily close down systems in response to “suspicious activity” on network
- Parasol umbrella company experiences “system outage” resulting in delayed payments
- Brookson is the latest umbrella company to be hit with a “malicious” cyber attack
- Nixon Williams – another well-known umbrella company and accountant suffers from a “cyber security incident”
- “Key systems” at SJD Accountancy impacted by cyber security incident
Top 10 umbrella companies
Choosing a trustworthy and reliable umbrella company isn’t easy because there are over 500 payroll providers in the UK! To help make your life a little easier, we’ve created our top 10 umbrella companies list. Every top 10 umbrella company is accredited by either the Freelancer and Contractor Services Association (FCSA) or Professional Passport. And some have special offers at the moment! Please check them out now.
