We all know that thieves these days are getting extremely creative and are very good at trying to steal not only your identity but your paycheck as well.


“We at PDS love this article. If hackers are trying to attack employees at Lee County Clerk of Courts (LCCC), then they’re probably doing the same to tens of thousands of other companies or governmental entities. And if some of them are PDS Vista customers, we want to help everyone be proactive in their defenses. Therefore, peppered throughout this article, we’ve added some extra information to help you shore up your defenses.” Marco Padovani, Senior Development Manager, PDS


Our payroll team here at the Lee County Clerk of Courts has a 100% track record of protecting over 3,500 employees’ paychecks from getting into the wrong hands.  Not to say they have not been tested – especially in the past few months.  Payroll has received requests from “employees” to change their bank account information.  On a few occasions, there was a copy of a “valid” check with the employee’s correct name and address stating that they had changed their bank and to please update their information.  However, something seemed “off” to payroll and when they contacted the employees involved they all stated that no, they did not request that their bank information be updated and were very thankful that payroll called to verify the information.  Imagine waiting for your paycheck to be in your bank account come pay day and it is not there and when you notify payroll they tell you that you requested your bank information to be changed but you didn’t! 
Payroll decided to put in proactive measures to help combat this problem.  One was that the employee had to come to payroll to update their bank and/or W-4 information with the appropriate ID or the HR departments had to sign off stating that the employee showed them ID and requested their information be changed.


There is no better safeguard than in-person authentication (is this employee who he says he is) and authorization (did this employee approve the change) as Lee County Clerk of Courts has done. However, this is not always practical for large organizations with employees spread out in multiple locations. So what other options are available?

From an authentication perspective, the key is ensuring that you have tight network security and strict password policies, including multi-factor authentication. (If you want more information on implementing multi-factor authentication in your Vista installation, contact your PDS Support representative. Or, for our cloud customers, contact our cloud team to see how we are protecting your security.)

From an authorization perspective (and even as a backup to authentication), you can implement a second “firewall” by implementing Vista Workflow to process the request. Since Vista Workflow is completely configurable, you can design whatever process you want. As an example, if these changes were routed through the employee’s direct manager before going to HR, you have the added protection of the manager validating that the employee has truly made the request. (You might object, though, that the manager should not see the personal information in such a request. But that’s easily resolvable. In your Vista workflow just specify that the details be hidden in the manager’s approval step.) Marco Padovani


However, our payroll
department wanted to add an additional step to the process. They wanted to know
if an after-the-fact verification email could be sent to the employee after
either their W-4 or bank account information was updated.

Sending an email when either the employee’s W-4 or bank information has been modified can be accomplished either through Vista Workflow or via changes to the Vista screens’ “user exit” stored procedures – EMP_Taxes_Edit_X.sql (W-4) or EMP_ACH_X.sql (bank account).  We decided to go with modifying the stored procedures.


As with many things, there are sometimes no “right” answers. Either approach can accomplish the same thing providing the extra verification. Because LCCC used in-person authentication and authorization at the front-end of their process, a simple post-transaction email was very appropriate. Moreover, Vista is an open system that supports many integration points for custom actions (such as these “user exits”), so it was easy to do for them.

On the other hand, implementing changes through user exit procedures involves a little more technical ability. If your organization does not have the ability to tackle this, then Vista Workflow is your best approach. You can implement a post-change email with no coding, and even without an actual “approval” step (just a Request -> Email -> Update flow). You can even get fancier and specify that the Update step be delayed to give the employee a chance to alert you to a problem. (E.g., the flow can send the email telling the employee to either ignore the notice if everything is OK or to click on the provided link to raise an objection.)Marco Padovani


The process for
modifying both of these user exits is the same – you need to add your code into
the ‘if
@nStartPoint = 3’ block
of code and for us we did not want the email to be sent out when payroll
deleted the bank and/or tax information since they add it right back in.

Here is the information we needed:

    1. Employee’s
      email address

    1. Employee’s
      first name

    1. Only
      send the email if an Update or Add transaction

    1. Wording
      of the email

    1. Only
      send the email if the employee’s hire/rehire date is greater than 21 days from
      today (i.e., not for new-hires)

    1. Only
      send the email if federal taxes were modified (for W-4)

 

There are a couple
of things to remember when choosing either the workflow or stored procedure
approach:

    1. With
      the workflow approach, usually the change will not take effect until the
      workflow has been completed.


Generally, this is a good thing – no need to complete the transaction until you are sure it is correct. However, if your needs are different, Vista Workflow supports adding the execution step at any point – including immediately upon submission of the request. So it’s up to you and your business requirements.Marco Padovani


2. With the stored procedure method, it’s an absolute approach. The email always goes out without the opportunity for subsequent review.


In LCCC’s case, this is exactly what they wanted, so that was appropriate, but if you did not have the in-person controls that LCCC had implemented, then the workflow approach might be better suited for you.

Regardless, though, of which approach you take, adding these extra verification steps can be the difference between happy, secure employees and people who’ve had their bank accounts emptied.Marco Padovani

Barbara Cobb
Application Architect
Department of Innovation and Technology
Lee County Clerk of Courts