Recruiter - Special Report: Payroll Security Nov/Dec 2021

Page 1

Special Report

AYROLL SECURITY WWW.RECRUITER.CO.UK 33

Special Report Cover_Recruiter NOVEMBER DECEMBER_Recruiter.indd 33

18/11/2021 09:00


Special Report

EDITOR’S COMMENT

EDITOR’S COMMENT Concerns that some UK umbrella companies’ systems had been compromised recently by fraudsters will have sent a chill down the collective spines of contractors, recruitment agencies and the umbrellas themselves. Cyber is the channel of choice today for infiltrating the inner workings and net infrastructure of major organisations, but it seems old-fashioned techniques of deception and devious minds did much of the damage in these cases. With the vast amounts of money flowing through umbrellas’ payroll systems, it’s no surprise that they’re a target for fraudsters. In our Special Report, technology journalist Sue Weekes speaks with the experts about how you can protect your business and the steps you should take now to do so. We also reinforce the ongoing call for government regulation of the umbrella industry – a long-overdue move that would protect contractors and temporary workers, recruitment agencies and the umbrellas themselves.

DeeDee Doke Editor Recruiter/ recruiter.co.uk 34 RECRUITER

ATTACK OF THE PAYROLL CLONES Fraudsters are cloning umbrella companies and then contacting recruitment companies with new bogus bank details. Sue Weekes investigates the extent criminals are going to and how umbrellas, recruiters and contractors can spot the signs and remain protected and secure

NOV/DEC 2021

Special Report - Payroll_Recruiter NOVEMBER DECEMBER_Recruiter.indd 34

18/11/2021 09:01


PAYROLL SECURITY

hen is imitation not the sincerest form of flattery? Answer: when your company is cloned. This is the situation a number of umbrella companies appeared to find themselves in recently when companies with similar names as theirs were registered at Companies House. Among them was Clarity Umbrella, whose owner and founder, Lucy Smith, told Recruiter that a company was initially registered with the name Clarity Umbrela (with one ‘l’) Ltd. She contacted Companies House and was informed this had since been changed to Clarity PAYE and was told it was sufficiently different from her company name. “The fact that something similar had happened to several umbrella companies with the same director’s name showed that something was not right,” said Smith, explaining that she then took to social media to voice her opinion and alert her network to what was happening. “I said ‘this is not Clarity’ and we all need to raise awareness so this becomes too hot to handle.” Phil Pluck, CEO of the Freelance & Contractor Services Association (FCSA), which is currently investigating the situation, explains that having created the clones on Companies House to gain legitimacy in the “eyes of the unwary”, the fraudster’s final act is to contact numerous recruitment agencies – whose PSLs are openly available to view – and then inform them that their preferred umbrella company has

W

I M AG E S | SH UT T E R STO C K

Special Report - Payroll_Recruiter NOVEMBER DECEMBER_Recruiter.indd 35

WWW.RECRUITER.CO.UK 35

18/11/2021 09:01


Special Report

changed its banking details, because of any one of the following: ● a criminal hack has been attempted on its current bank account ● change in directors/ownership has taken place, hence the need for new accounts ● the bank has offered a more secure portal account, so the details are new. “The fraudster then goes on to assure the agency through VAT registration documents, Companies House numbers, and details of current banking arrangements, so that the avenue for a sophisticated theft is now totally open.” The cloner’s attempts to build legitimacy also included scraping social media and professional networks and job boards to access personal information. It also emerged that some contractors were being contacted by the clones offering them preferential terms such as 85% take-home pay. Julia Kermode, founder of IWORK, which provides a range of resources to support all types of independent workers, and former CEO of FCSA, believes it is a concerted effort by somebody to undermine the umbrella industry.

36 RECRUITER

“The umbrella market is not regulated so anyone can spring up and be an umbrella company” Clearly, Kermode is extremely well-informed and able to spot the incorrect details of many of the companies in the sector but, as she highlights, if you don’t it is easy to be duped. “They are sometimes changing one or two letters and, for example, have listed one company as LLP. I know that isn’t the case but a recruitment agency may not know that level of detail,” she says. At the time of writing Pluck said so far he has only known of one attempt that has been successful and which amounted to £60k of umbrella fees being transferred out of a recruitment agency to a false bank account but warns: “This practice is also happening further up the supply chain where recruitment firms are being cloned in order to bring on board innocent job applicants and contractors. “Vigilance is the key to preventing an actual cloning attack alongside robust IP protection of your brand should you need to take action if cloning has already taken place.” Further harm must be prevented by ensuring those behind the clones don’t get access to bank details and the onus is on recruitment agencies to undertake due diligence in any dealings with umbrellas, especially in conversations over money transfers.

Check, check and check again Robust checks need to be in place and Pluck recommends each company in the supply chain should have a single point of contact (SPOC) who carry with them agreed passwords, and if any banking details are to be changed then this platform should be the first stage in any changes. “Where money transfers take place from end client to agency or agency to umbrella then very strict transfer protocols should be in place and should always be a double or even triple check system. Passwords should be used and be highly restricted, transfers should be confirmed immediately on both sides and never change banking details from any party in the supply chain unless a sperate protocol has been agreed and is acted upon. “Always query any calls coming in to

NOV/DEC 2021

Special Report - Payroll_Recruiter NOVEMBER DECEMBER_RecruiterNEW.indd 36

18/11/2021 11:19


PAYROLL SECURITY

HOW TO SPOT A CLONE

make banking changes or indeed providing supporting documents. AI is now becoming so sophisticated that there is emerging software that can replicate voices and indeed images in remote meeting platforms hence the need to have multiple protocols if any changes are made.” Stamping out the cloning activity is a challenge, especially if legal action is prevented because the cloner is operating in an offshore jurisdiction. It is not, of course, a sector-specific problem and happens across all industries but it has come in what has already been a difficult year for umbrellas with a BBC investigation finding that 50,000 mini-umbrellas were operating tax avoidance schemes, which reportedly cost the taxpayer millions. Kermode describes the timing as

interesting in this regard, which is why she remains convinced it is a deliberate attack to further tarnish the industry. That the sector has been targeted is also no surprise given the large amounts of money that are transferred across companies in the supply chain. As James Poyser (pictured top left), founder of offpayroll.org.uk, which seeks to promote transparency in the sector, points out, the “eye watering amounts of money that flows through means a cloner wouldn’t have to have a great success rate to make a lot of money. “So it’s always going to attract people looking to exploit this,” he says and adds compounding the problem is that it is all too easy to set up an umbrella company in the first place. “The umbrella market is not

I M AG E S | SH UT T E R STO C K

Special Report - Payroll_Recruiter NOVEMBER DECEMBER_RecruiterNEW.indd 37

The FCSA provided Recruiter magazine with the following guide to spotting a clone. It says these are the key clues to look out for: lack of any other presence. Cloners need to keep below the radar while creating just enough legitimacy to convince agencies or contractors. They also need to get in quickly, steal the money and run no website presence no presence on social media no heritage on Companies House. Clones are typically very infant with no accounts the same old names. It is often the same directors who set up multiple clone companies in a very short space of time, often from the same address which is often just an address of a residential property, and often multiple occupancy those directors are often based outside the UK. Currently, the trend is towards a handful of individuals who are based in India a clone company will differ only slightly in name from the legitimate one. It might be just one letter or number or an added word to the company title, for example, ABC Ltd becomes ABC1 Ltd or ABC Pay becomes ABC Paye.

WWW.RECRUITER.CO.UK 37

18/11/2021 11:19


REC.NovDec21_046.indd 46

12/11/2021 17:09


PAYROLL SECURITY

regulated so anyone can spring up and be an umbrella company, which means there is very little legal protection against preventing this happening in the first place.” Offpayroll.org.uk recently launched a new rating system for umbrellas called FairScore to highlight ethical, well-run companies and those that are rogue and campaigns for regulation in the sector (see Road to Regulation, p40).

Be commercial and compliant Janet De-Havilland (top right), founder and CEO of Pendragon Consultancy, which are experts in compliance and deliver a range of services in the temporary and contract labour market, is currently working with the authorities and the FCSA following the appearance of two apparent clones: Pendragon Consultancy Ltd Payroll Account Limited and Pendragon Consultancy LLP Ltd. Like Smith, she alerted people on LinkedIn and believes openly discussing it is important. “If we keep it all quiet, these people will be allowed to work under the cover

“If we keep it all quiet, these people will be allowed to work under the cover of darkness” of darkness and we all need to help to shine a light on it,” she says. “Also, if you’re a client, you would be disappointed if the first time you heard about this issue is when money has gone missing.” Pendragon carries out compliance audits for clients and she believes compliance lies at the heart of tackling this and other issues the sector faces. She adds that clients are often shocked when they see where the holes are in their processes and systems following an audit. Part of the challenge is that sometimes the person charged with the responsibility for due diligence and compliance isn’t as senior as they should be. Pluck

I M AG E S | SH UT T E R STO C K

Special Report - Payroll_Recruiter NOVEMBER DECEMBER_RecruiterNEW.indd 39

agrees and notes that the fraudsters are often targeting middle grade employees of contractor recruitment agencies, perhaps knowing that senior directors will be on top of what transfer protocols are in place, and “thus smell a rat”. De-Havilland highlights another issue, too, which is that compliance costs rather than generates money. “When you go into some businesses and ask where compliance is in their hierarchy of importance, you can hear a nervous outburst of laughter,” she says. “Compliance teams are challenged all the time with the ‘we’ve got to get these people out to work, so let’s get on with it’ attitude. But if something goes wrong, things can become much more costly, and you potentially lose the client that you’re trying to help. You’ve failed in your due diligence, and you’ve failed the client.” The answer, she believes, is moving compliance up the agenda and her desire is to bring it “screaming and kicking” from the back office to ensure it’s on the table of “every senior manager and boardroom director”.

WWW.RECRUITER.CO.UK 39

18/11/2021 11:20


Special Report

THE ROAD TO

REGULATION Campaigners for regulation in the umbrella market had hoped that this year’s autumn spending review would have allocated funding required to get the Single Enforcement Body (SEB) up and running and bring lasting positive change in the sector. Disappointingly for them, it didn’t feature this time round and attention now turns to the spring. James Poyser, founder of offpayroll.org.uk, and Rebecca Seeley Harris, chair of the Employment Status Forum and former senior policy adviser to the Office of Tax Simplification, submitted the policy document ‘Umbrella Companies: call for regulation’ to the to the Spending Review in September, having previously sent it to BEIS in the spring. The pair were motivated to write the document by the feeling that the industry wanted to change. They contend unscrupulous behaviour has reached “a tipping point”, with regulation the only course of action. Poyser said the document was backed by many umbrellas because it closes the loopholes that allow unethical practices and tax evasion to persist. Among supporters is Lucy Smith, founder of Clarity Umbrella, who also gave input into the policy document. “If we were regulated it could stop the agency PSL and we wouldn’t be allowed to trade unless we were doing things properly,” she says. “I think it is disappointing that the budget gave us no support. The government have forced more contractors to work via umbrella companies yet offer no protection against the cowboys in the industry.”

40 RECRUITER

Even though there was no mention in the autumn budget, Poyser says he would be surprised “if it was off the table altogether” and has meetings lined up with BEIS over the coming weeks. “It may be that the particular department wasn’t ready to ask for the money yet because they need to think it through and make sure they’ve got a really good plan because they are only going to ask for this money once,” he said. “They need to make a considered plan and ensure it’s going to be effective. Hopefully, in the spring, we’ll see them come back and say, ‘OK, this is what we need to get things started’.” Poyser explains that the Single Enforcement Body (SEB) would give contractors somewhere to go to if they had a problem with their umbrella company as they currently fall between government departments. “You can go to HMRC about some tax and National Minimum Wage-related matters but really egregious things that some the umbrella companies do are lawful in the eyes of HMRC,” he says. “If it’s well resourced, the SEB could ensure they are treated lawfully.” In the meantime, offpayroll.org. uk has launched what it describes as a “stopgap” rating system to its website called FairScore, which aims to help workers find compliant, fair and ethical umbrellas to run their payroll. Umbrellas are invited to assess their operations against a comprehensive set of criteria associated with ethical and fair best practice and FairScore then provides a score out of 100. Poyser

explains that 90% of the points in FairScore are based on information in the policy document sent to the government. “What we’re trying to do with FairScore is say, ‘OK, there’s a lawful minimum that you can do but what if you want to go above and beyond that and make sure that everybody in the supply chain is treated fairly?’ And that’s where FairScore comes in,” he says, acknowledging that it might not be taken up by everyone but is a positive step forward. “The analogy I give is that of fair trade chocolate: it’s not for everybody but there are a lot of people that put a lot of trust in the provenance of their cocoa beans. FairScore means that anybody from the supply chain

NOV/DEC 2021

Special Report - Payroll_Recruiter NOVEMBER DECEMBER_RecruiterNEW.indd 40

18/11/2021 11:20


PAYROLL SECURITY

“Yes, you have to be commercial – I’m as commercial as the next person – but I believe you can be good commercially, and you can be good compliantly,” she says.

Robust reporting

“If every umbrella was independently audited, we could drive bad practices out overnight”

– end-client, recruitment agency and contractor – can see what an umbrella is doing to make sure those workers are being treated fairly.” Rob Sharp (above), CEO of Orca Pay Group, is a champion of regulation and says the company will be part of FairScore. In addition, Orca recently became the first umbrella to proactively get all of its financial activities audited by tax experts WTT, which it hopes provides everyone in the contractor supply chain with peace of mind. It provides WTT with full access to the Orca bank accounts, HMRC portal and its real-time compliance platform The Apex. The latter provides agencies and businesses time-stamped records from HMRC as

well as providing a full transparent audit trail each time a payroll is processed. As part of the process, Sharp explains that agencies and businesses are shown all HMRC liabilities are correctly deducted, processed and submitted “to the penny”, as well as ensuring fair treatment for every contractor paid. Sharp admits that he is terrified when he sees how “blunt, blatant and in your face” some avoidance schemes, mini umbrellas and disguise renumeration products are being flouted. “It’s the worst I’ve seen it in 17 years in the industry,” he says. “But if every single umbrella was independently audited, we could drive these bad practices out overnight.” Because it has its own audit platform and software, Orca is being entrusted to carry out audits on behalf of recruitment agencies or businesses on other payroll partners. He said although a recruitment agency can be culpable and risks potential reputational and financial damage if avoidance schemes are found in its supply chains, there seems to be “an educational gap” about this among some agencies. “And I fear there is the potential for an Armageddon of reputational damage to agencies because they don’t take their due diligence responsibilities seriously enough.”

I M AG E S | SH UT T E R STO C K

Special Report - Payroll_Recruiter NOVEMBER DECEMBER_RecruiterNEW.indd 41

Having robust processes in place benefits everyone in the supply chain. De-Havilland also urges contractors to be vocal if something doesn’t seem right and for umbrella and recruitment companies to be supportive of them. “Contractors can sometimes worry that if they raise an issue, they won’t get the job,” she says. “But it is important they report issues that seem unusual or that they have concerns about.” Kermode agrees that contractors and other independent workers need support and guidance as they will be less able to spot if there is a problem. “They might be looking at umbrellas for the first time and simply won’t know if the product they are being offered is dubious.” Of course, Recruiter cannot comment on any legal investigations that may be taking place but Charlotte Gerrish, a commercial law and data protection expert and founding lawyer of Gerrish Legal, explains that there are two areas that those affected should explore. If the cloning attack leads to a data breach, this will be covered by GDPR because it applies to companies that process data of UK individuals regardless of where they’re located. “So that could be a route to getting at the cloners,” she says but she also warns that umbrellas need to be vigilant and act quickly if they notice anything untoward so they themselves don’t find themselves liable for a data breach. Gerrish highlights the case of British Airways, which was the target of a cyberattack in 2018 and which remained undetected for more than two months. The Information Commissioner’s Office (ICO) fined the company £20m for failing to protect the personal and financial details of more than 400,000 of its customers. An ICO investigation found the airline was processing a significant amount of personal data

WWW.RECRUITER.CO.UK 41

18/11/2021 11:20


Special Report

without adequate security measures in place and the failure broke data protection law. “So those running payrolls need to be alert to cloning, a cyberattack or any activity that could lead to a data breach,” she says. While it is difficult to stop someone subtly changing a company name on Companies House, Gerrish explains that trademarking provides more protection and this is something that could be considered going forward for those umbrellas that haven’t already done so. “The test is: is what they are doing to names likely to cause confusion to the relevant public – the relevant public in this case being other umbrella companies, recruitment agencies, end-user clients and contractors?” she says. “Adding something like PAYE or anything that references the services delivered would be considered a trademark infringement.” This still wouldn’t get around the problem if the cloner operates offshore but may be worth considering as good

PAYROLL SECURITY

practice going forward for umbrellas that haven’t trademarked their name.

Continuity and resilience plan The era of digital transformation means that going forward, all organisations in the recruitment supply chain must be alert to known and unknown threats ranging from online scams, cloning attempts right up to sophisticated cyberattacks. In September, Giant suffered a cyberattack, which is still under investigation. It was understood to be a ransomware attack, which is where cybercriminals can potentially freeze operations and demand a ransom payment. Pluck recommends that organisations imagine the “worst-case scenario” and build a disaster plan

around it. “This costs money but there are very clever and legitimate firms who will take you through something called penetration testing. They will, in a safe environment, attack your company with the latest technology and reveal to you where your defences are weak. “Your IT support should be as active in providing security analysis as they are providing the operating platforms to function.” And he has a stark message for those who have reservations about investing money in this area: “Imagine the cost to your company if you are actually cloned and or hacked. If your defences are not robust enough and your transfer protocols aren’t tight then a business you spent 10 years developing can be brought down in 24 hours.” ●

Looking for an umbrella firm you can trust? Check out IWORK’s partners IWORK partners are ethical firms that offer services to support contractors, independent workers and the wider recruitment sector.

“Your IT support should be as active in providing security analysis as they are providing the platforms to function” 42 RECRUITER

NOV/DEC 2021

Special Report - Payroll_Recruiter NOVEMBER DECEMBER_RecruiterNEW.indd 42

“IWORK’s partners have been specially selected as they are trustworthy and committed to compliance. Look for businesses displaying the IWORK Partner logo to give you peace of mind.” Julia Kermode, Founder, IWORK

iwork.co.uk

IM AG E S | S H U TTE RSTO C K

18/11/2021 11:20