How Paychex’s Investment in Fraud Prevention Is Paying Off

For payroll and HR services provider Paychex, processing a massive volume of payments is a basic business function. Some payments to clients’ employees are check disbursements, but the vast majority happen either via ACH or the Real-Time Payment (RTP) network. Paychex makes approximately 15 million EFT payments, worth several billion dollars, every month.

That means payment fraud is always top-of-mind for Paychex management, and the organization has a dedicated fraud prevention team. “Fraud is much more common these days than it was years ago,” says Tim Yandow, fraud supervisor. “We separate fraud attempts into two types: new account fraud, which is a bogus client providing fictitious or stolen business information to enroll in our services, and cyber fraud, where the attacker is trying to steal the payments of legitimate clients.”

Within the cyber fraud category, Paychex breaks down attacks further. Account takeovers (ATOs) involve a criminal stealing the user credentials of an employee in a client’s HR or finance function, with the goal of logging into the Paychex system and changing information to redirect that firm’s payroll. Business email compromise (BEC) schemes can target either clients or Paychex employees, attempting to convince the target to change payment information by sending emails that appear to come from a known source. For example, Yandow says, “they might say: ‘We have a new contractor that we need to pay; they were supposed to be paid last week. We need to add them to the payroll and pay out $20,000 right away.’” Meanwhile, social engineering attacks target Paychex employees, imitating a legitimate client via phone or chat with the intent of changing bank account data and launching a payroll run or a round of bonus payments.

“Unfortunately, we’re seeing attacks in each of these categories several times a day now,” says Chris Voos, fraud risk analysis manager with Paychex. “We’re seeing exponential growth in fraud activity year over year. And it’s cyclical—we will see different types of attacks become more or less prevalent over time. Sometimes we’ll see huge influxes in new account fraud. Other times it’s ATO. Other times it’s BEC. It’s always changing, but it’s also always growing.”

Not surprisingly, when Paychex launched a fully self-service portal for clients, the potential for fraud was a key concern. Paychex Flex is a cloud-based human capital management platform that enables employers to add and remove employees, change payment routing, and even on-board themselves as new Paychex clients. Providing self-service online access to these capabilities accelerates the processing of changes, creating efficiencies for both Paychex and its clients.

“One of our objectives as a business is to support all our customers in whatever way they wish to process,” says Todd Wachob, a senior risk manager with Paychex. “Many want self-service payroll—they have a very small business, and that’s how they want to operate as a payroll customer—so we had to offer that option. We also still offer more traditional support, providing payroll specialists with whom clients can interact if that’s their preference.”

The introduction of self-service functionality boosted Paychex’s competitiveness, but it also introduced a new avenue for payment fraud. A criminal might, for example, try to add fake employees to an existing client’s payroll. “We might have a legitimate client that we service for payroll,” says Yandow, “but if a bad actor could access the system posing as an HR employee, they might be able to make bank account changes and divert those payments.”

As Paychex launched the self-service Flex system, management tasked the fraud prevention team with blocking 98 percent of all payment fraud attempts. “That is our target, and the team is exceptional at hitting that number,” Wachob says. “But it’s also very important that we look at fraud prevention from a customer experience standpoint and from the sales and servicing perspectives. We need to prevent the fraud without becoming so conservative that we introduce unnecessary levels of friction with respect to the client experience. Our clients don’t want to get multiple calls a week from us verifying every change they make to their payroll—that defeats the purpose of offering self-service capabilities. They want to be able to make changes and not require follow-up every single time to confirm that their actions are not fraud.”

Fortunately, Paychex was in a good position to address this challenge with technology. The fraud prevention team included some technically savvy members with the skills to develop a solution internally, without relying on packaged software or external consultants. “My team has a direct line of sight into the types of fraud that we’re investigating, so we have exact knowledge of the characteristics we’re looking for” in communications and user behaviors, Yandow says. “It’s not uncommon for us to identify a new attack method and respond within 24 hours by building a new solution in-house.”

Yandow’s team leveraged this innovative spirit as the company built out Paychex Flex, developing a tool they call FraudFighter. The tool pulls information from all sorts of source systems, including multiple payroll solutions, databases, EFT payment systems, sales platforms, and the Paychex 401(k) system, as well as repositories of historical data, enriched with information from third-party sources. Using all this disparate data, FraudFighter searches for potentially problematic transactions.

“FraudFighter is an automated process that is constantly scanning our production environment for banking changes, high-risk payments, all sorts of suspicious activity,” Voos says. “When it detects something it deems suspicious, it creates an alert for one of our fraud analysts to investigate. Equally important, when analysts receive alerts from FraudFighter, we don’t just get the notification; we also get immediate access to information about the client’s transaction history, where they typically process payments from, and what their normal payroll looks like.”

Because FraudFighter monitors transactions in real time, Voos and Paychex’s other fraud analysts can often stop problematic payments from going out. “We had some of the same controls in place previously, but with FraudFighter, everything is more automated,” Voos says. “We receive the alerts faster, and we have a lot more information at our disposal to make faster and more efficient decisions.”

In addition to saving the team time that they previously spent pulling data from multiple different systems, FraudFighter has dramatically reduced the amount of noise in the alerting process. “Paychex sees 500,000 bank account change requests per month, so finding fraud manually is like searching for a needle in a haystack,” Yandow says. “But FraudFighter’s automated screening is like taking that haystack, running it through our filters, and giving the fraud analysts a few pieces of straw along with each needle, making the needle easily identifiable. About 1 in 10 alerts coming out of FraudFighter are actual fraud. Naturally, that is an incredible time-saver.

“One of the things that really helped us reach this point,” he adds, “is diving into more and more data sources. We’re always looking for new data points we can leverage. Attackers leave footprints behind when they’re hitting us, and FraudFighter can recognize anything that displays as anomalous or stands out from a standard baseline. As FraudFighter continues to evolve over time, the goals will be to keep diving into the data and finding out what the anomalies look like.”

See also:

• BMS Breaks Free from the Captivity of an Inefficient Insurance Structure

When an activity that FraudFighter alerts on turns out to be fraud, the fraud prevention group identifies the type of attack and works with the client to respond. “We’re pretty proud of some of these programs, especially those we installed to combat BEC threats, because in some cases they have been savvy enough to reach into changes our clients made themselves and identify fraud events when our clients were the ones being duped,” Yandow says. “In response, we may reach out to the financial institution and try to get the account frozen or shut down. Sometimes we even attempt to recoup funds on the client’s behalf.”

The fraud prevention group also works with Paychex sales and customer service staff to build their awareness around fraud risk. “Tim’s team does companywide fraud training to make sure our sales and service reps understand how pervasive this type of stuff is and that they have a platform for escalating suspicious activity,” Voos says. “They have all likely worked with clients in the past who were victims of fraud, or they might have even brought on board a fraudster that they thought was a legitimate client. Awareness among sales and service personnel enables them to play a role in fighting fraud.”

In fact, Wachob adds, some Paychex representatives reference fraud prevention as a competitive differentiator during the sales process. “FraudFighter enables us to help our small-business customers avoid losses. So a lot of our salespeople, when they engage potential customers, describe our fraud prevention program to reassure prospects that, in addition to all the other great services Paychex offers, we will protect their bank data, their funds, and their employee information. And if there ever is a fraud event, we will help them through the remediation process.”

Because the fraud prevention team developed FraudFighter internally, the solution is constantly improving as the fraud landscape changes. “It’s not only the volume of fraud that is increasing,” Wachob says. “It’s the quality of the attacks and the different types of attacks that we’re seeing—variations on old attacks, plus new types of attacks. We are able to prevent 98 percent of attempted attacks because of the flexibility we gained by building a tool that is entirely customized to our business, with the in-house expertise to quickly make changes. If an employee approaches the fraud prevention team today saying they are seeing a new type of attack or a modification to an existing attack, the fraud prevention team can update FraudFighter almost instantly to recognize the new threat.

“Fraud moves very, very quickly,” he concludes, “so FraudFighter is a living machine that we are continuously improving. This type of flexibility is a critical component to the long-term success of any fraud prevention program.”