Payroll Data Services Blog

Tips to Steer Clear of Phishing Scams

scam roadsign cropped

It’s like clockwork. Crisis hits — and the scammers go wild. Using email, text, robocalls, and other phishing tactics, criminals hit the (digital) pavement, manipulating employers and employees to hand over passwords, social security numbers, and other information that’ll grant them access to email, bank, and business accounts of all kinds. 

While some of these scams are easy to spot, phishing criminals are increasingly sophisticated in their attacks. Here’s what to be on the lookout for — and how to avoid scams during COVID-19 times and beyond.

Popular phishing scams in COVID-19 times

As expected, scammers are pulling out all the stops to take advantage of vulnerabilities during the pandemic. Here are a few recent coronavirus-inspired scams to be mindful of:

  • Fake SBA requests. With many businesses eager to receive a loan from the Small Business Administration (SBA), scammers are increasingly impersonating the SBA in an attempt to steal employer and employee information. Remember, the SBA will never call, text, or email you requesting personal or business information, ask you to apply for a loan, or tell you to complete a loan application. You do not need to pay for information from the SBA and you never need to pay upfront to get an SBA loan. Take care to follow SBA guidance on what to do (and not do) during the loan process.
  • Government payments. The IRS will not call, email or text about government-issued checks, such as the Economic Impact Payments that have already been issued. Be on the lookout for scammers that request financial and personal information in exchange for qualification or faster payment. Phishing criminals are targeting many individuals, including college students that you may employ. 
  • Other agency impersonations. Beware of outreach claiming to be from government agencies and health organizations, like the Centers for Disease Control (CDC) or the World Health Organization (WHO). In a recent scam, fake "mask exemption cards" claiming to be from the Department of Justice (DOJ) are even circulating around the web and social media. Always go directly to agency websites for information, as that will always be the most reliable. Here’s a few helpful sites to bookmark.  
  • Contact tracing clickbait: State departments hire contact tracers to work with people infected by COVID-19 to get the names and phone numbers for everyone that they may have come in contact with. While contact tracers do use text messages to communicate with individuals, they will never ask for money or personal information like a social security number. They will also never ask you to click on a link, which is often just a vehicle for scammers to put information-stealing software onto your device. To learn more about this scam, check out what the Federal Trade Commission (FTC) has to say.
  • Online offers and ads. Get the facts right, so you don’t fall for clickbait that preys on common COVID-19 fears. As a reminder, there are no products proven to treat or prevent COVID-19 at this point. And, while the FDA recently announced approval for one home test kit, it requires a doctor’s order. Also be on the lookout for illegal robocalls that pitch everything from low-priced health insurance to work-at-home schemes.
  • Solicitations for donations. Always do your homework when it comes to donations to avoid charity scams. Never donate in cash, by gift card or by wiring money. 

If you encounter any of these, or other suspicious activity, report it to

How to safeguard against phishing scams?

There’s no surefire way to avoid phishing attacks, but there are important precautionary steps you can take to protect yourself.

  • Be on the lookout. The faster you can spot a suspicious email sender, the better. Stay vigilant when it comes to your inbox. Look at actual email addresses, not just display names. If it’s an email address you don’t recognize, this should raise a red flag immediately. Report any suspicious emails directly to your IT department. They should investigate the potential scam and forward any suspicious IRS-related emails to
  • Hover over hyperlinks. Whenever you receive an email with a hyperlink, always hover your cursor over it to view the actual URL. By doing this, you can confirm the URL is actually related to the company it purports to be from and that it’s secure. To ensure the url is secure, look for the "s" in the https portion of the URL (versus an http url without the "s"). 
  • Think before you click. If you overlook the actual email address (which is easy enough to do), the content of the email can be the next indicator that something’s amiss. Never click on a link or attachment included in an email, especially if it’s requesting login information. Sensitive personal information should never be sent over email. Instead, go directly to the source (e.g., email your HR contact or contact the agency directly to confirm it’s a legitimate request). Better safe than sorry!
  • Stay informed. Make sure you stay on top of new phishing scams. Check out the IRS page with alerts about common COVID-19 scams. If you know what to watch out for, you’re much less likely to fall prey to scams. And if you have employees, make sure security is paramount throughout your organization. If it’s regularly reinforced, there’s a better chance your employees will stay mindful.
  • Watch out for vulnerable periods. While phishing scams have peaked during the pandemic, now’s not the only time you should be on the lookout for trouble. Tax season is another time that presents more opportunities for criminals to steal valuable information. Since tax scams have been on the rise in recent years, make sure you are hyper-vigilant at tax time. The holidays are another particularly dangerous time, since the increase in online shopping and holiday bonus time means a higher risk of scammers accessing sensitive financial data.
  • Use multi-factor authentication. Multi-factor authentication adds an extra layer of security by requiring an additional method of account verification. So for example, if you are accessing your account from an unrecognized device, you’ll need to have a verification code provided via text, phone call, or email before you can log in to your account. This helps to prevent hackers from accessing accounts, as they’ll need to provide more than just login credentials. 
  • Keep current on security updates. Security patches are regularly released for all devices and popular web browsers. Remember how critical these are. It’s easy to ignore the frequent messages about security updates, but they’re important. They’re released to fix inevitable security loopholes that phishers can exploit, and should be downloaded and installed ASAP.
  • Install anti-phishing software. Anti-phishing software can help to detect and block malicious content contained in emails and websites, usually with a warning to the user. Many web browsers integrate this software with a toolbar that displays actual domain names, which helps you identify fraudulent websites that are mimicking legitimate ones. Because this software is often integrated with web browsers, it’s especially important that you keep your browser up-to-date. 
  • Monitor changes to bank information. If you have employees that are attempting to change direct deposit credentials, this should be closely monitored by your system administrators. And, if employees are requesting a change in bank account or routing numbers via email, HR professionals should verify those changes directly with employees. If you use Orbit Solutions, you can take advantage of notification features that will alert a designated payroll or HR administrator when an employee updates sensitive bank information. If you aren’t currently using Orbit Solutions, or another workforce-management system, establish safety procedures to manually monitor bank information changes. 
  • Use strong passwords. We can’t stress the importance of strong passwords enough. Passwords should have at least eight characters (the more, the better), and be a combination of letters (uppercase and lowercase), phrases, numbers and symbols (if allowed). Also, it's not recommended to use the same passwords for every account or to use default or temporary passwords that come with accounts or devices (including printers). A high volume of unique passwords can be hard to remember and manage, so it's not a bad idea to use a password manager. But, just remember, this also needs a strong password. Lastly, get into the habit of regularly updating your passwords. Visit this IRS page for more password tips.  
  • Secure wireless networks. If your wireless network isn't secure, cybercriminals could be stealing your data without you even knowing it. Follow these steps to protect your wireless network:
    • Change the default password of your wireless router and follow the strong password guidelines in number 10 above.
    • Reduce the wireless range (or power), so you're only broadcasting as far as needed. To do this, log in to your router's WLAN settings and lower the Transmit (TX) power, which is likely under an "advanced settings" option.
    • Do not name your router something that's personally identifying, such as the name of your company. Also, disable the service set identifier (SSID) broadcast so it can't be seen by anyone who doesn't need to use your network.
    • Do not use wired-equivalent privacy (WEP) to connect your computers to the router, as this is not secure.
    • Do not use public wi-fi at coffee shops and airports when accessing business email or sensitive documents.  
  • Use a workforce management solution. If you aren’t already using a workforce management technology, it might be time to consider it. A safe, secure solution makes it easier for you to prevent and monitor malicious phishing attacks. With Orbit Solutions, for example, we take phishing-scam precautions on your behalf. Not only do we proactively monitor our software for suspicious activity, but we also provide multi-factor authentication to enhance our clients’ account security. 

If you’re interested in learning more about how Orbit Solutions can help safeguard against phishing attacks, please contact Payroll Data Services today. We’re happy to help!


Full-Circle Workforce Management

Orbit Solutions transforms the way you recruit, manage, and grow your workforce.

Learn More