New Payroll Fraud Variation: Scammers Gain Access To Corporate ADP Accounts

Image courtesy of Parvinder Singh Arora

In recent months, we’ve seen a scam aiming to social engineer payroll information out of employees hit well-known companies like Snapchat and Seagate. The fraudsters’ goal is to get employees’ personal information and salary data, and file tax returns to collect refunds under their names. Now the tax scammers have found the ultimate source of payroll data: they’re able to access some companies’ accounts with payroll processing company ADP.

You may not recognize the name ADP, but most adults have probably held at least one job where the company printed their paychecks. Around the world, the company has 610,000 clients. That’s companies, not individuals.

For example, they handle payroll for U.S. Bancorp, and Krebs on Security shared a letter that a reader received when they were the victim of one of these breaches. Employees received a notice that fraudsters had established fake accounts under real employees’ names, harvesting their payroll information. Presumably, this data would later be used for tax refund scamming.

Bancorp has around 64,000 employees, and not all of them were victims of this scam. To establish a fake account on the ADP portal, the scammers needed to know that the person works for U.S. Bancorp, and pieces of personal data that are common targets for identity thieves, like the person’s name, date of birth, and Social Security number. Victims needed to already be victims of identity theft.

Another key part of the breach is that the employer needed to make the company-specific URL and a company code public. Simply having employee handbooks or information on how to find one’s W-2 available on a public Internet page instead of a building-exclusive intranet would be enough to put the not-so-secret URL and code in the fraudsters’ hands.

U.S. Bancorp became aware of the breach on April 19, after the tax deadline, but tax returns for 2015 may have already been filed for employees.

Fraudsters Steal Tax, Salary Data From ADP [Krebs on Security]