• Share this Episode


10/3/2017 | Episode 7

Yes, You Should Care about Payroll Fraud

If you’re like most people, you probably don’t spend too much time thinking about payroll fraud. You might not even know what it is. In this episode, we sit down with Greg Wilson, risk product specialist at Gusto, to learn why payroll fraud matters more than you realize. Then Greg and Kevin Lee, our trust and safety expert at Sift Science, compare notes on building an effective risk team.


Roxanna “Evan” Ramzipoor is a content marketing manager at Sift. Her debut novel The Ventriloquists will be released in 2019.


Evan: Welcome to Trust and Safety in Numbers presented by Sift Science. I’m your host, Evan Ramzipoor, here today with Kevin Lee, Trust and Safety Architect at Sift Science and Greg Wilson, Risk Product Specialist at Gusto. Thanks for joining me.

We’re chatting today about how Gusto and other companies fight fraud in the changing landscape but first let’s warm up with a quick fraud fact. Did you know that most fraudulent transactions take place at 3:00 AM? For more weird fraud facts based on Sift Science’s data check out “Seven Habits of Highly Fraudulent Users” on the Sift Science blog. Now onto the interview.

So tell me a little bit about who you both are and your experience in the fraud space, starting with you, Kevin.

Kevin: All right. Great to be here today. My name is Kevin. I’ve worked in the fraud and risk space for, gosh, over 10 years now. And so I started off at Google working ads fraud and did that for several years. Then also worked at Square where I headed up the risk chargebacks and recovery teams. And then also my last role was over at Facebook where I managed the spam team for both Instagram and Facebook and then just joined Sift Science about seven months ago.

Evan: Cool. And what about you, Greg?

Greg: Thank you so much for having me in. My name is Greg. I’ve been in the fraud and risk space for about seven years. Started off my career in the healthcare fraud space for a few years and then, similar to Kevin, worked at Google and Square mostly on operational roles to make sure we’re catching fraud and surfacing new trends for the team. And right now, I am a Risk Product Specialist at a company called Gusto which specializes in payroll and HR benefits. And what I’m focusing on is creating new products for our team to use to catch fraud internally as well as new protections for our customers who are using our products.

Evan: So, Greg, what kind of fraud are you seeing in particular? What have you needed to adjust to in this new role and what’s different about it than roles that you’ve had in the past?

Greg: So the difference between what I do now as a product specialist at Gusto and what I’ve done previously is that this particular role is more focused on product. We want to develop new innovative ways to catch fraud. We want to be able to alert our customers for any potential account takeovers and at my previous roles at Square and Google it was mostly operational. So I was in the weeds looking at transactions daily and surfacing these trends to the risk engineering team to improve their model. So it’s a little different since we are focusing at more of a high level in how to approach and tackle fraud but it’s really interesting and great so far.

Evan: Awesome. And what kinds of fraud are you seeing?

Greg: So the kinds of fraud that we’re seeing are fraudsters attempting to create shell companies that have the intent to run payroll for their supposed employees. A fraudster would be able to hijack bank accounts in order to debit funds making it look like that they are processing payroll but in fact they’re trying to credit their own personal bank accounts. So it’s a lot of shell companies that don’t exist or companies that do exist with their information already compromised. But because we don’t meet a lot of our customers in person, we only have the information and the data that is given to us at the time to do the analysis.

Evan: Interesting. And how common is payroll fraud?

Greg: I think payroll fraud is quite common. We see attempts every day of folks that are trying to steal from Gusto and I think it’s becoming more and more of an issue as, you know, our company gets larger, as, you know, we get more recognition. And fraudsters are trying to attack this angle aside from other payment processors out there. So it is an issue that we have to be very cognizant about. The stakes are high. I mean, if you imagine how much money is moved in any given payroll period if any one of those happens to be fraudulent the company is on the hook. So it is a high stakes game and it’s something that we’re really passionate about to stop.

Evan: So what steps can businesses take to reduce the likelihood that they might experience payroll fraud?

Greg: Yeah. So there’s two tips that I would advise businesses to adopt in order to hedge that risk. The first is if you’re using Gusto for payroll or another payroll provider, definitely enable two-factor authorization or 2FA. What this does is it provides an added guard or protection for your account in case a fraudster does have access to your email address or your password. Another tip I would give for business owners and employees is to always set bank alerts for your particular business account or your personal account. And what I mean by bank alerts is a way to get notified if there’s any unusual debits, any unusual activity on your account, anything that you need to know immediately so that you can take the right steps to rectify that situation. And just making sure that you don’t lose as much as you could potentially lose without monitoring your accounts.

Kevin: And then do you see…most of the fraud that you see on your platform, is it from known businesses that maybe have a rogue employee or something, or is it a fresh fraudster out there that’s just creating a company out of nothing and then hitting you guys up?

Greg: Yeah. So we don’t see the rogue employee angle. We see fraudsters either compromising existing company information by looking online and viewing public information that companies provide or creating a completely fake account and using stolen credentials to make it look like they’re legitimate and with the intent to run payroll for their employees.

Evan: So this question is for both of you. So you both worked with a variety of fraud solutions that have used both automated technology and also real life teams and some combination of both. Can you speak to the pros and cons of those approaches? And we can start with you, Kevin, if you’d like.

Kevin: Sure. I’d say in the end both human and machine are necessary to kind of do a great job of fighting fraud. There’s not going to be a 100% human solution or a 100% machine solution frankly. The way that I’ve seen them work well is where machines, they’re good at crunching numbers, digging into data, learning from a huge set of data and then making binary decisions from there. Humans are really good from a contextual standpoint in making nuanced decisions and they have the ability to go deep into these type of investigations.

So, for example, if I see the email address chisox23@hotmail.com, a machine may see that as gibberish just because it’s not really matching up with the person’s name but if a human investigator comes across this particular email address and they notice, for example, the order is coming from Illinois or Chicago, chisox might be short for Chicago White Sox, the number 23 is particularly relevant to Michael Jordan who also played for a team in Chicago. So that additional context may be beneficial towards that investigation. Pretty difficult for a machine to extrapolate that but pretty easy for a human to derive that.

Greg: I’d have to agree with Kevin. I think the most successful risk teams I’ve worked with have had a healthy marriage and balance of relying on automation and also a strong analytical risk team. The pros for automation is that it’s easy, it’s quick and it’s a timesaver. So you’re able to program logic into what constitutes a risky account or even automate decisions based off of what type of risks you’re seeing. The downfall of that is that machines and automations aren’t quite as smart as humans as of now at least. It’s hard to pick up on nuanced trends, it’s hard to pick up on reading between the lines and that’s where the risk analysts can really provide value and look beyond what a machine can output.

So as Kevin mentioned, risk analysts are able to take a deep dive into the account, really look at the transaction inside and out and then make a very informed decision. So it’s a very powerful, you know, reliance of being able to do that investigative work. But the downside of having and solely relying on a risk team is that it’s expensive, you know. If you continue to grow and scale and if you continue to add folks to your team it does cost quite a bit as well as, you know, it’s hard to scale that as you do grow as a business. So I think the best combination is just to have a lean, agile risk team that’s very focused, very analytical and strong automation that helps supplant and augment that work.

Evan: How have you guys seen risk teams change over the years? Have they…are they responding to new types of threats now? Have the methods that risk teams used changed? Can you speak a little bit to the changes? Starting with you, Greg.

Greg: Yeah, absolutely. Over the years I’ve seen new threats pop up all the time and I think as fraud evolves the risk teams have also evolved as well. One pronounced change that I’ve noticed is that the communication between risk operations and risk engineering and that feedback loop has become tighter. Maybe out of necessity. But as soon as there is a fraud event, since there is a timing component, both teams need to know exactly what to change. Maybe that’s a model or a process in order to prevent further loss or to catch these types of accounts in the future. So I’d say even positioning of a risk team next to a risk engineering team is beneficial because you’re able to interact on a daily basis and have that very strong feedback loop.

Kevin: One thing I’d say is from a technical perspective the folks that are being hired for these risk operations positions today need to be much, much more technical. In the past it was strictly about individual account review and investigation. Now it’s really about how many accounts can you take down at the same time. The amount of accounts that are fraudulent that are coming to the system are a lot. And it needs…we need tools and people to be able to respond to those things in a much, much more scalable fashion.

Evan: Are there ways that risk teams aren’t evolving but you think that they should be?

Kevin: From my perspective, I’d say folks still are not as data driven as they should be. We’re in Silicon Valley so there’s a ton of access to data sciences or engineering or even operations folks that have scripting or techno backgrounds. Across the country or across the world that may not be the same. And I think it’s going to take a number of years for that to catch up which if I’m a fraudster I’m like, “Awesome. That’s great. Maybe I’m not going to go after the Gustos of the world, but are there other payroll companies out there, are there other ecommerce companies out there that have not wised up and are really still doing things from a manual approach or from like an Excel approach and they don’t have machine learning or rules or whatever in place to be able to make really good decisions on the fly?”

This is especially critical for let’s say on-demand companies where you actually don’t even have time for a manual review team. Everything that you do is going to be post review. If someone wants to buy some concert tickets or needs to get a ride somewhere, you don’t have the luxury of a few hours or a few days to vet that person or to do a deeper investigation. You need to be able to make a decision like right now. And companies that wanna get into that space really won’t be able to compete if they think that they can do it manually.

Greg: From my point of view, and I have to agree with what Kevin was saying, was that the next evolution of risk analysts should have a very strong foundation in data manipulation. So this could be SQL, this could be Python. Something that would really augment the day-to-day operational work that risk analysts typically do in a normal risk team. The strongest risk analysts that I’ve worked with have had a plethora of data analysis experience and are able to take their investigation to the next level and not solely rely on risk engineering which, you know, by chance is probably really, really busy with everything else going on in their day to day. So in order to push the envelope and get to the next level I think risk teams do have to evolve and to become more technical, to learn these programing skills and to be able to communicate this very easily with the risk engineering teams which would then make progress a lot more quicker and efficient.

Evan: Let’s take a step back and stop talking about fraud prevention for a second and talk about the fraud that we’re actually preventing. So both of you have been in the fraud trenches for some time now. How has fraud itself changed over the course of your career? Are there certain verticals or spaces that are riskier than they used to be or less risky? What trends are you seeing there?

Kevin: So from my perspective I’d say with the Internet of Things happening in front of us and unfolding there are so many new things out there that 10 years ago wasn’t a thing. And so when we talk about micro lending or even in the payroll space, it’s been ADP for like ever. And now you have new startups that are challenging that role. Companies like Uber or Lyft in the on-demand space or Instacart or whoever, all these companies didn’t exist several years ago and it’s a space that is ecommerce but it’s not traditional ecommerce. And with that comes a lot of opportunity and it’s filling a void and solving a problem but from a risk and fraud perspective these are all new areas that can be exploited.

Evan: Cool. And Greg?

Greg: From my point of view fraudsters are getting better. They’re getting smarter, they’re being able to bypass protections that in the past were more reliable such as AVS, CVV but the trend that I see, especially in the past few years, has been more of a push towards online retail and committing fraud through a nontraditional brick and mortar business. So even as the US expands with how many online retail shops are conducting business through the internet and also overseas as this market is going, we’re gonna see a lot more fraud, you know, hit the online space. And, you know, this was something that was actually a warning from a lot of the experts back in 2015 with the introduction of the EMV liability shift. They said that it’s going to be a trend where since it’s harder to defraud normal POS systems that accept chip and PIN, these fraudsters are gonna move to more of an online approach. And we haven’t seen that. Especially with all these data breaches that have been happening in the past few years, most notably in 2016 with Yahoo. It’s a little scary about how much data these fraudsters have to play with in order to try and commit financial crime.

Kevin: I’d say we haven’t touched on it yet but account takeover is definitely a new vector to take advantage of with all the data breaches that have occurred. People are not very good at using unique passwords or strong passwords across the internet and that’s certainly going to become more and more of a thing. Plus, as people become more…even more reliant on the internet to do things like banking and ecommerce and healthcare, payroll, you name it, getting access to someone’s credentials is even that much more lucrative.

Evan: Yeah, that makes sense. I was waiting for you to mention account takeover. We haven’t had someone on the podcast yet who did not mention account takeover so I knew it would come up at some point.

Kevin: It’s gonna hurt the most. Yeah.

Evan: Yeah, yeah. That’s the way it is. So now that we’ve painted this grim picture of how difficult life is gonna be for fraud analysts in the future, if you had to give a word of advice as our parting words to a fraud or risk team or someone managing that team, what advice would you give?

Kevin: From my perspective it comes to data and the ability to track it, monitor it, mine it and then make actionable decisions from it. We have moved past individual accounts or fraudsters trying to do bad things on the system. We’re talking about massive scripted automated behavior that’s meant to not only steal someone’s credit cards but also their identities or their overall accounts as a whole. And going back to the data, you are able to track these things much, much more efficiently and look for discrepancies and anomalies in behavior as opposed to just a singular transaction. So many risk teams today may focus on a chargeback rate or a single transaction or an item but looking at the data, the behavior associated with what it took to make that transaction or make that purchase is fundamentally different than what a legitimate person would do. And understanding that data and then making decisions off of it is crucial.

Greg: My advice would be to never get comfortable and complacent because fraud is ever evolving and risk teams need to be at least two or three steps ahead to think of that next iteration of how they’re going to be preventing fraud for their company. By leveraging data, as Kevin mentioned, you can then decide what new tools that you need or what third-party integrations would help augment catching fraud and this is something that should be constantly discussed, brainstormed and eventually executed so that you’re prepared for eventually, you know, these types of new fraud vectors ahead.

Evan: Great. Thank you so much. That was Kevin Lee, Trust and Safety Architect at Sift Science and Greg Wilson of Gusto. Thank you for both for joining me.

Both: Thank you.

Your information will be used to contact you about our service and subscribe you to our direct marketing communications. You can, of course, unsubscribe at any time. Please see our Website Privacy Notice.