For payroll and HR services provider Paychex, processing a massive volume of payments is a basic business function. Some payments to clients' employees are check disbursements, but the vast majority happen either via ACH or the Real-Time Payment (RTP) network. Paychex makes approximately 15 million EFT payments, worth several billion dollars, every month.

That means payment fraud is always top-of-mind for Paychex management, and the organization has a dedicated fraud prevention team. "Fraud is much more common these days than it was years ago," says Tim Yandow, fraud supervisor. "We separate fraud attempts into two types: new account fraud, which is a bogus client providing fictitious or stolen business information to enroll in our services, and cyber fraud, where the attacker is trying to steal the payments of legitimate clients."

Within the cyber fraud category, Paychex breaks down attacks further. Account takeovers (ATOs) involve a criminal stealing the user credentials of an employee in a client's HR or finance function, with the goal of logging into the Paychex system and changing information to redirect that firm's payroll. Business email compromise (BEC) schemes can target either clients or Paychex employees, attempting to convince the target to change payment information by sending emails that appear to come from a known source. For example, Yandow says, "they might say: 'We have a new contractor that we need to pay; they were supposed to be paid last week. We need to add them to the payroll and pay out $20,000 right away.'" Meanwhile, social engineering attacks target Paychex employees, imitating a legitimate client via phone or chat with the intent of changing bank account data and launching a payroll run or a round of bonus payments.