Printed Paychecks are a Security Hole? Really? Yes, Really.
Go to Google and do an image search for “my first paycheck,” then come back to finish this article. Okay, wasn’t that amazing. What you saw was hundreds of smiling employees posting an image of their first paycheck. If you search for “my last paycheck” you’ll see more.
Perhaps you’re now wondering whether you have a policy in place so that employees don't take a selfie holding their pay check and sharing it online.
Good. This is the article for you. Read on.
In a recent national news story, a Minnesota woman posted a selfie photo on Instagram holding her paycheck. Zoom in a little on the photo, and you can clearly can see the company’s bank account number!
Criminals gathered the information and used it to create counterfeit checks against her employer's bank account.
She wasn't the only one though. So many people used the hashtag #firstpaycheck on Instagram and did the same thing, that a group of criminals was able to steal about $2 million dollars.
Allegedly, a group of about 25 people calling themselves the Sienemah Gaye Organization, engaged in counterfeiting after swiping banking information from such selfies.
It was not a minor operation, and many law enforcement officials were involved in stopping it, “Today's law enforcement operation involved over 75 federal, state and local law enforcement officers and is the culmination of thousands of investigative man hours involving the efforts of 12 different law enforcement agencies working collaboratively with private industry and federal prosecutors under the auspices of the Minnesota Financial Crimes Task Force. Today, thanks to talented investigators, analysts and prosecutors, a significant identity theft ring adept at victimizing Minnesota businesses and citizens is no longer in business.”
It gets worse. They were also able to steal employee identities from the photos.
Social Media Oversharing
Younger workers, as we know well, are overly comfortable with social media. They publish photos of their best and worst moments for all to see. Most now have smart phones capable of take photos and video and quickly posting them to the web. So, it might seem quite natural to them to want to celebrate a first paycheck, or a bonus check, by taking a photo of it and sharing on Instagram, Twitter or Facebook.However, they clearly aren't thinking about the possible problems that could create when they share sensitive banking information.
Now it’s time for you to think about it.
Do you still print and distribute physical paychecks with information such as:
1. An employee’s social security number? (legally banned by many state laws)
2. The last four digits of an employee’s social security number? (this is allowed legally but still exposes an important bit of information that can be used to access and steal from an employee’s consumer financial accounts).
3. Corporate bank account numbers and routing numbers? (All checks have this.)
4. An employee’s bank routing and bank account numbers? (Many paychecks still have these.)
5. An employee’s physical address and phone number? (Many paychecks have these.)
6. A hand-written signature or an image of a signature of a company officer? (of course you do).
Okay, now that we have your attention, here are a few ways to limit, but not completely eliminate, these risks.
(The first extant American self-portrait - from the 1800s.)
The best (but most expensive) fix:
Review and fix your printed paychecks/direct deposit documents with your payroll provider.
• Conduct a thorough review of state and federal laws on publishing paychecks to see what information is currently legally banned from appearing on paychecks and direct deposit documentation. Are you in compliance with current laws?
• Regardless of state and federal laws, you should alter physical employee paychecks to not include potentially compromising information such as: employee bank account numbers, bank routing numbers, social security number, the last four digits of social security numbers, or physical addresses.
• Using direct deposit for paychecks is more convenient, but remember it is also more secure. That said, the same corporate policies for physical paychecks should also apply to any other direct deposit document provided employees, particularly if it includes a lot of the same potentially compromising information. Make sure your payroll provider makes these changes or get a new provider.
• Phase out the distribution of any physical paychecks and direct deposit documents of any kind. This means all paycheck, or last paycheck funds, must be provided through a direct deposit mechanism.
• Provide all direct deposit documentation by email to employees and eliminate the distribution of physical paycheck documentation (which could also be posted online by a oversharing employee).
• If your payroll services provider or software cannot accommodate these changes, perhaps it’s time to find a new one that can.
There might be more costs associated with issuing individual direct deposits run separately from the general payroll. In the short run, you might incur additional expense to make these changes. However, today’s a different day and these should probably be part of the costs of running businesses in these new times of greater identity theft and fraud.
Establish policies forbidding employees from posting paycheck images and information anywhere. Create an employee policy that strictly forbids employees photographing and sharing paychecks on social media for the whole world to see. Your policy should require that no employee is ever to photograph sensitive financial documents, such as paychecks, and share them on Instagram, or any other social media platform.
Creating such a policy will require some nuanced language and be carefully crafted. What if an employee has already shared this very sensitive information online?
You are in for a lot work.
Tracking Things Down and Taking Action
Have someone who knows social media help you track down where it was posted and shared, when, and if it was also shared by others? It's common on sites like Twitter and Facebook to share another person's share by Re-tweeting and forwarding. Of course, it's much better to prevent the oversharing in the first place, than to try to track it down. Do you fire an employee that makes a naive error, yet still could do a lot of damage to the company? This is a lot of work, but here is a social media training resource that can help.
Training and Educating Employees to Prevent This
How do you educate employees about the dangers of oversharing financial information online? Particularly younger workers who love to share too much online? Given that taking photos of just about anything to post on social media in order to get attention is such a common practice, you have your work cut out for you. Here is a resource on how to create training programs that sensitize employees on the risks of social media. for employees that can help.Finally, all of this is potentially painful for your company and employees. There’s the risk of their financial ruin, of taking the years and years involved to recover from identity theft. After all, employees’ suddenly having no credit, not being able to buy a car or house, will become more than a drag on their productivity at work. So limiting this risk is your contribution to a happier, healthier more productive workforce.
If all of these examples are not a call to action, consider the public embarrassment factor. Who wants to have their employees or company names plastered in newspapers because they did not avoid this completely avoidable problem.
Not you.
Let us know if you have any feedback or comments on paycheck selfies. What have been your own experiences with this problem?
Image Credits: Flckr, Loc.gov, hitrecord.org, Library of Congress