If someone cloned your voice and called payroll today… would your team catch it?
AI is reshaping fraud in ways most business owners haven’t fully seen yet. Attacks are faster, more convincing, and harder to detect. Criminals are using automation to run thousands of personalized scams at once. They can mimic your internal tone, scrape employee data, and even use cloned voices to “authorize” urgent payroll changes.
Payroll is a prime target!
That’s why you’ll want to watch our recorded webinar featuring guest speaker, Steve Lenderman, Head of Fraud Protection with our platform partner, isolved.
In this session, we covered:
- What’s changing in AI-driven fraud in 2026—and how it could directly impact your business
- The next wave of business email compromise targeting payroll
- Sophisticated fake direct deposit requests that look legitimate
- Evolving insider misuse and credential abuse
- Third-party payroll and vendor vulnerabilities that can expose multiple companies at once
- The added fraud risks tied to crypto payroll, digital wallets, stablecoins, and shifting regulations
Most importantly, you’ll learn about real defenses you can put in place, because technology alone won’t protect you. Your processes and your culture matter just as much.
This session will help you stay one step ahead—so you can protect your payroll, your people, and your business before a costly mistake forces you to learn the hard way.
Guest Panelist: Steve Lenderman CFE, CFCI| Head of Fraud Prevention, isolved
Steve Lenderman is a seasoned fraud prevention expert with over 25 years in financial crimes. As Head of Fraud Prevention at isolved, he leads enterprise-wide strategies to combat fraud.
This webinar was recorded live on March 10, 2026
Session Transcript:
Jeff Plakans:
… everybody. Thanks for joining us today. Thanks for giving us your lunch hour on our session today. So what we’re going to talk about in today’s webinar is both my favorite topic and my least favorite topic all in the same breath. This is a scenario that I wish in our industry, payroll, human resources, really anything related to technology that we didn’t have to talk about, but it’s a reality that if we’re not talking about it, you’re in trouble. So what we’re going to talk about today is hopefully how to outsmart the next wave of payroll cyber fraud. We’re going to talk about the latest, the greatest, the things that you need to know to get smarter about protecting yourself, your information, and your employees and their information.
As you guys know, I am Jeff Plakans. I’m the President of Commonwealth Payroll and HR. And I’ll also be a color commentator on the presentation today.
Joining us, of course, is Steve Lenderman. Steve is from iSolved. Steve, thank you for giving us your lunch hour, and more importantly, sharing this information with our folks today.
Steve Lenderman:
You’re absolutely welcome. I thoroughly enjoy educating and talking about fraud. So this will be a fun, entertaining hour and educational.
All right. So today’s agenda, we’ll keep it relatively high level to start, and then we’ll dive into these topics through our course of our slides. But really going to talk about what we’re seeing change in 2026. Clearly AI and machine learning and ChatGPT and Claude, et cetera, are changing the way we do work, but it is also dramatically impacting how fraud is committed. And likewise, how we’re using it actually to also prevent fraud. We’ll talk about some of the new vectors and vulnerabilities that have been opened up due to AI and the ability to essentially scale fraud at an incredible pace, but also lower the barrier of entry for threat actors who typically couldn’t commit fraud in the past because they were not smart enough. Now they don’t have to be so smart. They can use technology to enhance their fraud capabilities.
Talk about how we can outsmart some of these scammers and fraudsters with some tools and tactics. And then of course, it wouldn’t be a 2026 presentation without talking about some of the things we’re going to see in the late part of 2026 here into 2027. So looking forward to have a great conversation.
Jeff Plakans:
So we’re in first quarter, so I think we’re still good on that. What’s to come for 2026? That’s great. A few things, folks, just as far as ground rules are concerned. We have a questions and answer box. We are going to be stopping for Q&A at the end of the presentation. If you’ve got questions, just drop them right into that question box and we will get around to those. And yes, we’ll be recording the session and sending it out to all of our registrants as well. So Steve, take it away, baby.
Steve Lenderman:
All right. Absolutely right. So as we mentioned here, just briefly about AI scaled fraud. The ability for low level threat actors or fraudsters or I call them criminals to commit fraud at scale and above their technical or their intelligence to put it nicely. And so fraud in the early 90s, early 2000s were typically committed by an individual or group of individuals, and they could commit usually one or two frauds at a time because that’s all the bandwidth they had as a human being. And now what we’ve seen is AI has enabled one threat actor or a group of threat actors to commit fraud against thousands of victims simultaneously. And it’s not just in a local geographic area, it’s a global event at this point in time. And so the threat actors aren’t going to be in our backyards. They could be across the globe.
And again, doing this across the globe with thousands of victims over and over again. What makes it even scarier again is not just the fact that they can scale to this, but it’s how they can become much more efficient. We can all date ourselves. Remember those emails you would get from the Nigerian Prince, the Jamaican Lottery, you would see the spellings, et cetera. These new attacks are personalized and they’ve done their research on their target. And so if Jeff was a target, for example, they’re going to go and look at his LinkedIn page, they’ll look through social media pages, they’re going to find news and information about them on the open web and use that information to create an attack against Jeff specifically. And that would, in the past, would again, would take one person some time to do. Now we simply can use some essentially naughty bots to do that homework for us. Again, thousands of victims simultaneously attacked at the exact same time, which just we didn’t see in the past because it was just driven by one person.
On top of that scaling fraud, we’re getting into more and more fake impersonations. The ability to say, “This is really me,” or this is really Jeff. Are you really sure these days? I’ve actually used the fake technology and run a webinar with a fictitious voice, a fictitious face, and no one knew any different. We inherently trust each other, especially when now we think we see people on screens. Just doesn’t mean it’s going to be always the true person. And AI and this machine learning models and quantum computing has taken deep fakes to a level of sophistication that we just haven’t seen. It used to take a little while to build a deep fake a couple days, if not week, and you can kind of see these things being not as accurate, but today’s real-time deepfakes have zero latency between facial recognition and voice movements and tone that just sound like Jeff would sound or like I would sound.
And then last here we’re seeing what’s changed in 26 is the idea about your relationship. We’ve moved pretty quickly from physical interactions kind of pre COVID where you went to a bank, you went to an insurance agency, you went to a payroll provider or an accountant’s office to do your records, to now self-servicing through digital channels. And what’s on the verge for us coming in 2026, we’ll talk about, is this idea of agentic interaction. Being able to do things through your smart devices, be able to say, “Hey, Siri, run payroll.” That is on the road. That is coming down the future here and it will be here faster than you think of. So we’re seeing these synthetic relationships being built through these agentic platforms, through chatbots. And it’s just really interesting to see how fast this is going. In the last six months, it’s accelerated dramatically.
Next slide, please.
Social engineering. I did mention about how these attacks will be personalized and you’re seeing these attack across multiple different channels. So they’re looking for data that you have available out there. I kind of giggle and laugh because I started my fraud career in the ’90s, early 2000s when everything was on a dark, deep web. Your identity’s there. Your identity is still there, don’t get me wrong, but your identity is available on Telegram. It’s available on Signal, it’s available on Instagram, just to know the right places to go find them. And so the information is readily available out there for bad actors to use to create these hyper-personalized phishing messages. And these phishing messages aren’t just through emails. They can come through email, they can come through your phone, they can come through text messages, they can come through chatbots. Any channel of communication, these bad actors are now relying on any channel, anytime, any way to get into essentially your bank accounts.
We’re seeing the increase in voice phishing using AI-driven voice clones to make these phone call scams. Probably the most common that you may have heard is the grandparents scam, whether grandchild is in prison somewhere and the grandchild is calling the grandmother or grandparents, and the voice sounds just like that of the child. And that’s convincing for grandparents and for seniors. Well, this similar concept can happen here. This is a closed webinar, for example, but I do lots of webinars and I’m sure Jeff does lots of public speaking as well. It’s not difficult for us to capture these voices. And within three to four seconds of capturing a voice and a simple sentence, we can then turn that sentence into a legitimate voice recording. And there’s ways that we can bypass, the criminals can bypass directly into your voicemail. So if I wanted to impersonate Jeff to his CFO, I could just drop a voicemail.
“Hey, this is Jeff. We need to pay an emergency client. Wire $1 million it’s important. Do it now.” The CFO says, “That sounds like Jeff. It looks like it came from Jeff’s phone number, but it’s not Jeff.” And next thing you know, a million dollars we’ve got in a payable diversion attempt. So we’re seeing these hyper focused attentions.
Additionally, we mentioned this being global. It’s not just a regional event now where the bad guys are targeting particular geographic areas, demographics. Fraud is now a cross border event. And when we have that happening, we start to see different regulatory and enforcement priorities around what fraud looks like in different parts of the world. Fraud is handled differently. And so we see that impression being pressed on how we handle fraud scenarios. So an example would be in Europe and in AsiaPac, there’s a tremendous focus on scams in general. That pressure from Europe and AsiaPac is now being felt in the United States to do something about scams. And so the United States is responding accordingly. Similar concept happens with regulatory shifts around things.
There is immense pressure in Europe and EMEA around deepfakes, that all deep fake creation, even if it’s good, you can use several products to create a deep fake, but has to be watermarked, for example, as this is artificially created content. We don’t see a lot of these regulations in the United States still. So we’re seeing a misuse of legitimate platforms for illegitimate purposes. And that’s kind of a scary thing. And again, that allows a low level actor to be able to do things with tools they can just buy and obtain on open web. They don’t have to go dark deep. We have them be this tech smart guru to do things.
We’re also seeing fraud being facilitated by instant payment and crypto related scams. Crypto, for me, is not really a currency. It’s more of a commodity. It’s how we trade things. And the bad guys think of it that way as well. It’s how they move money that they’ve stolen quickly cross border. And then we’re also seeing a lot of pressure from instant payments, real-time payments FedNow. Again, this is being driven by cost around moving money and obviously moving money across border as well. So what we’re seeing now is convenience, which is we all as customers and employees want to get paid earlier. On Wednesdays, we’re getting paid now and not just moving money hourly instead of every four hours. Well, the bad guys, they love that too. If they’re going to steal money, they don’t want the window of recovery for us to catch it to be long. They want it to be as short as possible. So it’s an advantage as well.
And then last one, at least here in this regulatory information is really around data privacy and consumer protection. Look, we know our privacy standards here in the United States are less than that of those of the European countries. That, again, is good and bad, depending how you look at it. But again, the bad guys are using this information against us to be able to commit fraud. And one example of this is that with privacy regulations we have in the United States, it’s very difficult for me to reach out to another organization, a bank, a payroll company, and say, “Hey, I have this information on a particular victim or bank account information.” And they just say, “Well, we can’t really share that. It violates our privacy standards.” And which is very frustrating because if we want to stop the fraud, we want to help our victims and help our clients, but we are restricted by some of these regulatory constraints that are out there.
The enforcement trend, we are seeing regulators across the globe definitely trying to do more collaboration. Unfortunately, that same collaboration isn’t as reciprocal in the United States at this current position. We are seeing a little deregulation in this space. And I just read an article today about how the Consumer Protection Bureau and credit bureaus are kind of having a little bit of a battle back and forth about removing erroneous information off people’s credit bureaus. So again, we’ll see how that plays out, but it’s not as easy as we think it is from a regulatory perspective.
And then how does this impact SMBs? I mean, larger organizations, big tier one, big banks and companies have teams people for all that stuff, but most small and medium businesses, your chief compliance officers, also your chief legal officer, your chief marketing officer sometimes running payroll or wearing multiple hats. So it’s very difficult to keep up with compliance changes. And then obviously how that compliance takes place around your fraud protection and training initiatives. Next slide, please.
Jeff Plakans:
Speaking of fraud protection, Steve, I think it’s probably a good time to do a poll. If we’re starting to disturb anybody, maybe that’s the intent. So we’ve got a poll question for you. So if you want to answer the poll, we just put it up there. We’re asking what form of MFA are you using to secure your system and to secure your data? So go ahead and vote for any one of the options and we’ll give folks here a few minutes till we get somewhere close to a hundred percent. Hopefully everyone’s paying attention and are nimbly getting the fingers on the mice and/or the keyboards. We’re 50% of the way there. So there’s some folks still waiting. I think maybe they’re thinking about some questions to answer.
Steve Lenderman:
Trying to log in.
Jeff Plakans:
7%.
Steve Lenderman:
There we are.
Jeff Plakans:
Interesting, interesting. So I have to say, I don’t know, what do you think, Steve? So 10% of, “I don’t know what that means.” Don’t worry, we’re going to explain. MFA stands for multifactor authentication. And Steve’s going to talk a little bit about what that is here in just a second. 40% of our folks are currently using passkey technology. That’s good. That’s a good sign. And the 30% on the authentication app. You know what? This turned out better than I thought, Steve. How about you?
Steve Lenderman:
It absolutely did. It’s actually the reverse of what most people are doing. So congratulations. You’ve all passed the first hurdle that you were definitely more secure than the average user. So kudos to yourself. And hopefully you’re using the same cyber hygiene practices with your work environment, you are also doing it with your own personal environment because that’s also a method of attack for bad guys. If you’re locked down from your work perspective, they will go to your personal side of the house and get in that way as well. So kudos to all using the passkeys and authenticator apps, et cetera.
So let’s go ahead and just jump right next thing here. Speaking of the attacks, what are we seeing? We are absolutely seeing BEC, business email compromises that are targeting payroll teams through obviously payroll diversion. If you look at the IC3 Internet Crime Complaint Center reports, the BEC around payroll is now the second-fastest growing form of fraud reporting as a BEC.
The first post is around straight leader impersonation fraud in that perspective. But now we’re seeing the threat actors move to, “Okay, we’re not going to get the CFO to be able to move $5 million because they’re not going to fall for that anymore, but we can get the payroll administrator, somebody of that nature to fall for something like this and then allow us to make some changes to payroll direct deposit accounts or change money movement around.” So we are absolutely seeing that.
Again, they are using AI crafted emails, doing their homework, identifying who they are in the organization, who controls the money flow, who has the approvals. They’re creating the messages that are also being tested. They are going to send the messages that if they get past the spam builder, et cetera, they are feeding information back into the model to continue to build new, better messaging that makes it more sense. And it’s really interesting to see what’s moving.
We’ve talked about deep fakes again, about the payroll. You’re going to receive urgent calls through your voicemail potentially. It’ll always be on Thursday evening or Friday night or sometime when it’s critical when you’re trying to go on vacation. They know all this. They’ve done the homework on you and will launch the attacks specifically when you feel the most vulnerable. And touching back on your personal thing I mentioned about vacations.
Again, if you’re posting you’re about to go on vacation on your Facebook page and you are a payroll administrator, I would probably advise not doing that, because now I know you’re leaving vacation tomorrow and I’m going to launch my attack specifically when you’re getting ready to go on vacation or when you’re on vacation, because you’re going to be more vulnerable and susceptible to falling for a fraud scam.
Next slide, please.
Jeff Plakans:
So speaking of business email compromise, Steve, I wanted to kind of share a story with the folks that are on the webinar today. And this is something that we were involved in at Commonwealth with one of our clients. And it’s a story with a happy ending, which is great, but it’s a scary story nonetheless. And it was actually our internal processes that made it a happy ending. And so business email compromise, we had a client that was very email centric. Obviously they were a fully remote organization. And as a result, one of their employees became a victim of business email compromise. So their email was compromised. They got in and had the bad actors had access to everything that this employee had access to, and they clearly took their time and waited to see the types of things that were going back and forth. And in this particular employee’s case, they got very lucky.
This was an employee that was about to receive a very large bonus payment for the work that they had done. And the bad actors noticed this and somewhere along the line then sent an email to the email to the payroll person at this client, company of ours, and indicated that, “Please change my direct deposit to the following. I can’t get in right now,” or whatever schema they used. And this particular individual who did not have the best thought process around hygiene and being mindful of doing a simple thing like verifying, calling the employee to verify, “Hey, did you just send me this?” Because the human beings are the savior in all this, they just put it through.
Now, what the fraudster happened to do was route or attempt to route the proceeds of said bonus into a fraudulent account at a bank, which we had already flagged as a potential risky bank. So when that transaction went through, we were alerted to the fact that it was indeed at a risky bank. We immediately made the calls before anything went anywhere, verified with first the leadership of the organization, and they went and did their own investigation to realize that indeed the employee had never sent that email to begin with. They found the email that was sent, but the employee had never sent it. So we prevented the loss of about $80,000, not only on behalf of the employee, but on behalf of the client, because we were paying attention and we have our own protections in place to stop things like this.
These things are very, very real. And just because your organization is paying attention to business email compromise, equally so, you need to make sure your employees are following the same practices. And Steve’s going to share a whole bunch about that with us as we get into the next bunch of slides. So thanks for listening.
Steve Lenderman:
Oh, that’s a great story. And unfortunately, that happens hourly, not obviously just within your platform or our platform, but just globally, we are seeing that exact same attack take place on an hourly basis. So it’s again, back to the idea of not if or is more when this takes place. So let’s continue on this fun path of fraud education. So we are again seeing these direct deposit change requests come in, they’re automated and they are personalized. The threat actors are using information they’ve obtained from different social media sites. I’m going to see if I can multitask at the same time here. I’m just going to put it in as a question, I’ll put it in the chat.
Hold on. There’s a link I’m going to post here right now comes from a story I read from yesterday and today talking about how threat actors are actually creating the techniques to do this and scrape your information off there.
So if you have your entire organization on LinkedIn, think about how much information you are supplying the bad guys to be able to use against you. And so just understand what you’re putting out there is certainly viable to use against you. Synthetic identities, these are interesting concepts. These are individuals that are not real individuals. These are individuals created from a data perspective. So they have a name, a date of birth, a social that may be valid or may not be valid. And you’re going to see these synthetic identities being used now as we used to call ghost employees, where you have a person added to a payroll that would receive the funds and return those funds back to the administrator who was corrupt, et cetera. We’re now seeing these synthetic identities that are being created in mass and added to payroll systems, not just to launder or liquidate fraud funds, but then one of the most powerful things that an identity can have that opens up other forms of fraud is a pay stub and a W2.
And so if we can get a synthetic identity and we issue them a quote unquote valid pay stub and a valid W2 at the end of the year, the information’s all fake, obviously, but the document itself is authentic and so is the W2. That really facilitates the synthetic identity to go do other types of fraud and credit card and lending and loans, et cetera. So we’re seeing a lot of these synthetic identities coming into the payroll space to justify themselves and validate themselves as authentic identities.
And then we’re seeing, again, the real time response, we’re seeing AI bots that are doing a much better job at communicating with our sales reps, our implementation reps, our just in general customer service representatives, where you maybe think you’re talking to a real person and it is a deep fake voice that in real time is listening to your response, querying the information on an LLM, and then verbalizing that back to the customer service representative.
It’s the exact same thing that most call centers are doing as well, is moving that information back and forth. Another thing we’re seeing is the insider threats and credential misuse. The insider threat problem is something that organizations really need to think about and think seriously about because it is a unique opportunity for a bad actor to get in your organization and big organizations are at risk for this because there’s lots of identifying information there because we’re a payroll company thinking of everything we have, lots of intellectual property as well. And so bad actors want to get inside your networks to be able to obviously get the information, both PII and intellectual property. And so we’re seeing these AI assisted insiders, again, people who normally could not commit the fraud, but are being assisted because they’re being trained with AI tools to help them cover their tracks, to make them look like they’re doing, to remove credentials that were being used to access information they shouldn’t access and to bypass monitoring.
We’re also seeing behavior masking where the AI can mimic normal behavior patterns. While I’m off doing something bad as an insider, I am now able to mimic what I would do normally well and do a normal course on the job. So when I look at my login attempts for the day, it’s going to look like I normally logged in, but I may not have logged in at all that day. I may have logged in at night between 2:00 AM and 4:00 AM, which would be unusual and suspicious. We can use AI to cover these tracks and cover your behavior. And then we’re seeing credential stuffing at scale. This is really a terrifying thought because we are still a very heavy password friendly ecosystem. Think about how many passwords we all have. We know changing passwords and password managers and all that fun that goes on with passwords. Passwords that are very outdated security standard and we need to get away from them, but we’re not going to for the foreseeable future, unfortunately.
And because these passwords are floating out in the wild easily to obtain and individuals use these passwords, we call password reuse across multiple platforms, we see this quite frequently in a payroll space where an employee is using their Gmail password, it’s also their Netflix password, their bank account password, the payroll login. So you can see if I am a threat actor and I can get one key to the puzzle, I can validate your Amazon credential. That same password will also open up hundreds of other accounts that you have the same password for. So it’s really, really troubling. Next slide, please.
So how does this really take place? How does it apply to what we’re doing in a payroll perspective? Think about your organization from this perspective. AI will continuously probe and payroll vendors for weak APIs and misconfigurations. Think about all the connections you have with your organizations that are vulnerabilities. A few years back, almost a decade back, we approached the thing of the target breach of credit cards and the Home Depot breach of credit cards. Those are 10 years ago. You know how both those breaches occurred? They occurred by a third party platform that did not have the secured APIs down and secure channels and the bad actors got access to those large organizations by going through the path of least resistance, which is a vendor situation through a bad API call. So I need you to understand when you think about your organization, it’s not just locking down your organization, but you need to be mindful of your other organizations that are attached to your organization because they will become the weakest link to gain access to your networks.
Supply chain fraud and a payroll perspective. Again, think about this. If you’re running a payroll organization, all your clients, if they compromise you, you are the weakest link in the supply chain, therefore all your clients could be compromised, which is why it makes payroll companies in general a target rich environment for threat actors. And then we’re seeing a really new concept around AI driven malware where the malware itself used to be very static. They would design the malware, push it against systems, if a [inaudible 00:28:14] filters and it worked, it would launch. But if it didn’t get by, they didn’t really do much with it. So now what they’re doing is using AI to see, okay, this malware did not get in, did not penetrate these firewalls, why didn’t it work?
In real time, the AI is changing the malware, redeploying it back instantly, and just continuing to try to get into the firewall with just slight changes and variations in the malware.
And at some point it’s going to find the crack what the control is and be able to get themselves in that perspective. And once they get in, again, the truth data feeds back that says, “Hey, this malware worked against this type of defenses.” That information is then shared with all their friends to use it across other organizations. So it’s really, really terrifying from that perspective.
Now, we mentioned through the course of the poll about multifactor authentication and requiring MFA for all payroll and HR system logins. The reality is, in Steve’s perfect world, I know I’m a fraud guy, but I am MFA in everything all the time. Even my TV at home, I MFA into before I watch television because your TV is not just a TV anymore. Your TV is a computer. It has access to the internet, therefore it has access to my home as well.
So I multifactor everything. So limited, also based on role, you would be surprised how people will just give permissions to lots of people in the event that someone’s on vacation or gets sick and they forget those permissions are given out. So you need to update, review who has those permissions, when they use them, when they use them last, do they need these permissions anymore? Do they need more or less of those? You really understand what we call privileged creep. There should be no reason these people should be able to access the entire kingdom because you gave them a password and credentialing.
Also, keep in mind back to passwords. That same password that provides access to your low level security system should not be the same password that provides access to your bank accounts. A lot of organizations unfortunately do that kind of scenario. Next slide, please.
So beyond perimeter defenses and multifactor authentication, now they’re in your networks. They’re in your platforms and we need to figure out what’s the best way to stop fraud because there are ways to be multifactor authentication. Believe it or not, email authentication is probably the least secure. SMS is probably second place. Third place is going to be your authenticator apps. Best is task keys and FIDOs. But if that passion person gets by those two factor authentications, which I’m telling you right now, it is very, not easy to do, but it is very possible, especially if you’re using email and SMS, email authenticator apps.
So once they bypass your authentication, now you’re in your network. Well, how do you know they’re in your network? Because they’ve authenticated in. Well, the trick is they will behave differently than your traditional customer. That your traditional customer as humans, has behavior patterns.
Every morning when you get up, we do the exact same thing. Well, when you log into these systems, whether you know it or not, you have a pattern as well of behavior and you do this. So understand what your baselines are for your employees or your users. Understand what they do, how long they’re there. If you’re seeing login sessions that are less than two seconds, that’s not a good sign. That’s what we call a bot. That means somebody has access to credentials, able to get in, make a quick change of direct deposit and get out. And no one can do that in two seconds. That’s a bot. But you need to understand what that looks like and what your average time on page looks like and how they navigate through your platforms.
Look for different devices as well. Your behavior is one thing, but how you come in on your device is another. Here at iSolved and all our network partners, we are using some technology that is doing device fingerprinting. So we know it’s your device. I’m sitting in my home office. My device is always next to me because all your devices are too. I know they are too. But we know how many feet of C level I’m at. We know which way I’m facing geographically. We know how many apps are on my phone, how many pictures on my phone. We know the charger type and the charger wattage you use on your phone. These are all things that bind your device to you as a fingerprint and create this digital identity.
And lastly, we’re using a lot of AI driven anomaly to catch these emerging fraud trends that we just wouldn’t get with static rules. Because behavior is very dynamic. It’s very difficult for us to look at it from a data perspective without creating lots of data.
Now, AI has allowed us to ingest large sets of behavioral data, find those anomalies, find those patterns of true behavior, and then isolate and illuminate the bad activity.
Next slide, please. So when you’re doing payroll changes, we see these payroll diversions as Jeff talked about that situation where somebody went in and made a direct deposit change. It was going to be a large bonus payment. What do we do around these threat deposit change? So we obviously have two factor authentication to get them into the authentication perspective. And then we get set up what we call dual verification. So we have rolled out two factors, we call it two factor step up.
Anytime a change is made to sensitive information, you will be required to authenticate again. And that is not just as simple as getting a new authenticator code. We will actually terminate the existing session and then create a new session for you, which eliminates what we call the man in the middle attack, which is how bad actors get into accounts using two factor authentication.
Believe it or not though, there is some old school techniques that work really well, especially when you’re dealing with a BEC compromise with a CFO and a CEO, for example. I’m sure Jeff and his CFO have a magic password or a code word they used with transactions, but we are back to that. It’s almost going back to mother’s maiden name, which we don’t use anymore. If you know what I’m talking about, you dated yourself too. But now we’re sitting there, we have the ability to establish good old-fashioned verbal passwords that are there. “Hey, what’s the password?” Oh, it’s Platypus. Okay, great. And the bad guys aren’t going to know your password as Platypus. Your passphrase, excuse me, not password. Password is still bad.
Then segregation of duties. Again, we see a lot of organizations with a single employee that can do… They have the keys to all the castle. They can do everything without oversight. Well, that’s one, an insider threat problem because that’s a big issue. You won’t know you have a problem because they have control of everything. And two, is a great point of compromise. We’ve seen the threat actors that now pivoted for several months. They were targeting the employee, which is very… They did well with that, let’s put it nicely. But the employee is a one-to-one relationship. If I compromise Jeff individually, I can only mess with Jeff’s account. But if Jeff is a payroll administrator and Jeff has access to a thousand employees information, Jeff is a much bigger target. And so I want to make sure I can understand that segregate those duties and make sure that Jeff doesn’t have access to all these things unless absolutely needed. And then last but not least here is audit trails, conduct regular reviews of your payroll updates.
When’s the last time you’ve gone in and checked those change controls? When’s the last time things have happened? Does it make sense for an employee to change their direct deposit three times in a week? Does it make sense if they’re changing from a traditional bank account to be a high risk non-traditional bank account? And that employee may be say in their 50s. Typically, us old guys like myself, we don’t tend to bank with the FinTechs. We tend to bank with traditional brick and mortar type environments. So again, these things you can look at from your audit trails and see what your customer really looks like so you can build those rules around that.
Employee education. This is still, I believe, a very critical part of your defenses, but it’s also important that you understand how to do this. The days of just sending these generic phishing emails just to test people, those aren’t effective. Sending out the webinars, you make the employee watch the webinar and take a quiz. Those aren’t effective. I laugh as a meme from Toy Story, I think with the piggy bank and he’s going through and he’s going through the employee training, blah, blah, blah, blah, blah, blah, blah, just going through each slide as fast as possible. Well, that’s what our employees are doing. They’re not learning anything.
So we really think about when you do this training and you make the investment in it, really make the investment not just in it, but I say on it, on the employees. Provide ongoing awareness training around payroll staff. Look, we’re guilty at sometimes, and I’ll put ourselves under the bus once in a while. We send trainings out around potential threats that don’t really relate to payroll fraud because we have to do it. We do it.
So make sure you get those things tailored to what you’re looking for. We’ve seen an incredible increase in the effectiveness of fraud prevention training and outreach. We call it gamify. So some of us have our fancy smartwatches or their Android, Apple, and you have your health apps. And what do you do at the end of the day if you need five more steps to get 10,000 steps? You get up, you walk around the kitchen, my wife flaps their arms around, whatever it does to close that ring, to make you feel like you’ve won something. That same concept works really well with education and training. And so when you provide these programs, we gamify it. They don’t have to give them prizes. Just, “Hey, this employee’s completed 90% of all these fraud trainings and she’s 10% higher than this employee.” And then that becomes a competition internally to do the training.
And then it’s really, really important to celebrate employees who actually do the right thing here. All too often organizations do it. They do a really good job of celebrating employees who meet sales goals and we get other efficiencies, but fraud prevention is an operational expense. Not only that, it’s reputational and it’s regulatory. It’s not a simple just dollar loss. And some stats from the ACFE, that every actual dollar of fraud loss equals $5 of operational loss. So it’s not just a straight dollar to dollar loss. So you want to reward these employees who are saving you lots of money, regulatory issues and essentially reputational issues. Because when people get defrauded and they have a bad experience, they leave your platform. They go somewhere else to find a better experience. And so make sure you celebrate that.
Employee responsibilities. This Jeff and I… Jeff, it’s you or me? I can’t remember.
Jeff Plakans:
Well, we can both talk about this, but together. Let me just say, if you get nothing else from today’s session, and I know we talked about a lot of different things, this is your to-do list. This is the thing that, what can I do as an employer to make sure that we’re protected and we’re covered? And certainly short of hiring an IT professional, managed services company or the like to help you if you are not doing so already and help go through some of the processes below starting first with data security. Steve, do you want to talk a little bit about that?
Steve Lenderman:
Yeah, absolutely. So again, these are your to do lists. It’s very challenging for small organizations. We understand the constraints from resources. It’s money, it’s people, it’s time. But these are kind of your guiding principles here. So data security, you’d be surprised how many organizations still use Gmails and Outlooks and don’t understand and think about where their data is flowing and how it’s flowing around. Obviously encryption is huge. A lot of the platforms that actually are used by fraudsters, Telegram, Instagram… Not Instagram, Telegram, Signal, they’re used because they are actually very well encrypted. So it’s very difficult for law enforcement to decrypt the messages. We should think about that as ourselves. Are we using the same encryption standards that the bad guys are using to protect themselves from getting caught? We should be using the same standards to protect ourselves from being the victim of fraud.
Multifactor. That is the easiest way to make your world much safer. Again, try to really get off email, at least minimally SMS, ideally to an authenticator app and on a perfect world, get to a passkey, which I did see a couple of our people in our poll. I think four people had passkeys, which was like, kudos to you, pat yourself on the back, awesome job, you’re well ahead of the game. And then we talked about education again. It should be part of your platform here, because even with all the technology that we’re using here with a big AI tool that we’re using, and I have staff here, I have a cyber team, we have all these tools here. You know how we catch a lot of our fraud? Someone in the, we call the first line of defense, the human being, says, “Something’s not right here.” And so it’s that gut instinct, that spidey sense by human being that does tremendous amount of work for us. And so definitely rely on education to help your folks get to that point.
Jeff Plakans:
Yeah. I would say that if you’re going to do nothing else, make sure your people, if they’re using a computer or even if they’re using a phone or something like that, that you’re educating them and not giving them this packet. Although when we send the recording, we’re going to send a checklist for you guys to use kind of as a, call it a cheat sheet, if you will, but how you can help protect yourselves, but educate your employees, tell them what’s at stake. It never ceases to amaze me that when we bring on a client and indicate to them, “Okay, here’s the link that you’re going to use to send us any information that needs to be secured and send it to this link.” And the next thing we know is we get an email inbound from an AOL email address. And if you know what that is, then you know how old I am and what we’re talking about.
And it includes a bunch of reports that have a bunch of social security numbers on them, emailed, unprotected. That goes out to anybody that can see it along the way, not just where it gets to but us, but along the way. You might as well put it in the mouth of a dog and send the dog over because that’s about how secure it is, but it still happens. So we have to be aware that we’re not setting ourselves up for these things. So we’re going to do some things that we send over to you to help promote and give you guys some ideas on what you should be working on, areas for improvement and so forth. So 2026, Steve, you promised some trends.
Steve Lenderman:
Yeah. Yeah. So a little bit of cheat sheet. We’re about a quarter of the way through 2026. So we’ve been seeing some of the stuff already. And fortunately, the world that I work in obviously is not payroll for all, but I’m very well-connected in just the fraud ecosystem in general. And so a lot of things that we look at to deploy and look for signals of emerging trends, we can look to into the banking sector because they tend to see a lot of fraud first. And so one trend that absolutely has the banking industry shaking in our boots from a fraud perspective is agentic AI. The ability for decisions to be made by an LLM, a large legal model, which is essentially Copilot or Claude or Gemini, et cetera. These tools now have the capacity to essentially make decisions based on some guardrails that you as a human being would put in play.
And we’re seeing this agentic AI expand into payroll industries, healthcare, et cetera. And I think the example I used earlier was instead of having to go to old-fashioned call your payroll or submit it online or maybe go to the app and just review it and submit, imagine being the point where you can say, “Hey, Siri, run my payroll.” That is coming in the next probably 12 to 18 months is where we see things moving technology wise. Again, how do you validate that the voice that is there is really the true person. It could be anybody in your office that could say something like that. Remember when Amazon first launched that and kids ordering shoes and games and all kinds of things showing up at the house. So this idea of authentic AI is terrifying because the bad guys have already thought about this. They’re already looking at how they can use the bots to counter what we’re trying to do from a fraud perspective and from a customer service perspective.
So their bots have a unique perspective is that they are not required to follow the rules and regulations that our bots are. We can only do certain things with regulatory controls and our bots are trained to do good thing. Their bots are not required to follow rules and they’re only trained on bad things. So whose bots do you think are better? The bad bots are better that they do it 24/7. And so they adapt faster and they adjust these things in real time. And since this is a brand new foray into an environment, there’s going to be a lot of learning curve for our product teams who are building these tools. We don’t honestly know how it’s really all going to play out. Someone’s going to have to take the first leap and then learn, lessons learned and we’ll go from there. So I imagine the payroll will be doing this 12 to 18 months.
Some of the banks are already doing it and a lot of people are buying travel like this now too, which is very interesting. In addition to that, I mentioned again, it’s global. They’re looking at multi-vector campaigns. Before you would just get an email and then you get an SMS potentially. And what you start seeing is these multi-vector campaigns attack towards a victim starts to kind of validate that this may be real. Wait, I got a text message about, I didn’t pay my easy pass toll or whatever it might be. But then I get an email saying I didn’t do it. And then I get something in a social media post that, have you seen this thing? And so you start to validate like, wait, this may all be real now, but it’s really just a combined vector attack against the individual or against the systems to convince you that it is real.
Next slide, please. Deepfakes and synthetic media. The ability to create a deep fake in real time is a serious threat at this point. You can flashback to ourselves when you use your Facebook and you put those filters on, you have a pig or a rabbit and ears and things like that. Guess what? Those are deep fakes. Those are very rudimentary elementary deep fakes from two years ago, but there are tools now, again, on the surface web that you can use to create legitimate deep fakes that would fool the average person. I have the ability to show them here, but I can send you some links that Jeff can share with the groups of completely fictitious AI content around news broadcast, car shows. None of it’s real, but you would have no idea that you’re looking at a digitally created image. We talked about synthetic employee identities again, getting those into payroll systems, how risky that can be for all of us in general.
And then the deep fake urgent calls has been a new thing. In the past, these deep fakes lacked what we call emotion. They lacked the ability to urgency. They sounded like the old school VRU units. You were talking to a VR unit. These now have the ability to possess stress, empathy, emotions, which would make the people listening to these calls more believable. Imagine having somebody, the grandparent, grandchild, grandchild is now crying, it’s hyperventilating. That grandparent is going to melt in the scammer’s hand and send the money. So next slide, please.
And of course, we wouldn’t be a presentation without talking about AI and of course crypto. So where does crypto play in the payroll space? It’s going to play in Stablecoin. Been doing a couple sessions with Nacha and they’ve been talking about Stablecoins and payroll. It’s really designed for a lot of cross border money movement, but at some point in time, stablecoins will move into the wire space, we’ll move into large value ACH transactions because it’s essentially feeless.
It’s very easy to move money across border between banks without having really to wait. Even a wire is not instantaneous. Having a stablecoin transaction is instantaneous, but that will also allow for other opportunities to commit fraud. And so as soon as the bad guys figure out we’ve moved to some kind of stablecoin, they will certainly target that as well. Their additional fraud risk around crypto is the opportunity to phish people with fake wallets, to grab your private keys. And once I have your private key of your virtual wallet, I essentially have anything in your wallet from a crypto perspective that can liquidate those funds. And then I’d mentioned earlier that crypto is really more like a commodity than it is a currency, but that you will see threat actors who will run what we call rug pools using unstable exchange rates, for example, where you see somebody who pump and dumps a coin or currency, and then they pump it and then they dump it.
So you see those things taking place as well and clearly regulatory uncertainty with the Genius Act that took place a few months ago. We still don’t really know where crypto is going. Obviously this administration is pushing for it very heavily, but the rest of the world is kind of pulling back on crypto a little bit because of its irregularities and its use and obviously a lot of fraud. Next slide, please.
Jeff Plakans:
So I think, Steve, that I know we have a lot of clients that are on the call today. We probably have some folks that are considering working with our company as well, or at least we hope so. And you might be listening to all of this and ask yourself, “Well, that’s great, all of this information, but what’s Commonwealth doing to help us? What’s Commonwealth doing to protect us?” And of course, I shared that story a little earlier to make one point, which is we’re very aware of this. We’re very aware of it in real time. Some of that comes from the fact that back in 2010, we partnered with iSolved as our technology partner to deliver secure HCM technology and that is security forward, if you will, on the changing landscape. Back in 2010, it was a very, very different setup in terms of the threats that are out there from a security perspective compared to what we’re talking about now.
And so not only have we paid attention along the way, both with internal training technology and whatnot, but also by partnering with iSolve, we’ve brought a lot to the table. Because we’re a customer of iSolve’s and all of our clients are customers of iSolve, you don’t just get Steve, we get 3,500 plus cybersecurity experts all going to work to make sure that our sensitive data and your sensitive data and our business and your business are all protected by still being able to make things convenient for who? For our employees, because our employees are our business.
Now, because we have a trusted partner, we can protect that data and by pairing the technology that we have in iSolved and that you have in iSolved with the service and the attention to detail that the Commonwealth team brings to the table, and again, just simply asking sometimes, “Did you do this?” And knowing enough to ask, “Did you do this? Because this looked unusual.” Was enough to stop a big situation. And I want to be sure that anybody that I’m doing business with is doing that, and that’s a two-way street. So we’re asking questions of our own clients when they demonstrate that maybe they’re not staying on top of the behaviors and the tools and the methods to protect their own organizations as well. So wanted everybody to know that not only we’re paying attention to that, but to understand how much stress we put on making sure that that’s part of our equation.
Steve Lenderman:
Yeah. So just to quickly wrap up and leave some time here at Q&A at the end. Obviously, AI is reshaping fraud. It’s faster, it’s smarter, it’s harder to detect. We need to use AI just as much as the bad guys are, and that journey is certainly begun. We are using it on a regular basis here to look at fraud. And our fraud detection tools are built on AI, not with it built on it. So it’s a really interesting concept and it’s done really good things. Payroll, you’re a target. BEC, fake deposits inside of misuse, it’s all there. The old adage, a lot of people rob banks, it’s where money is. I think it’s safe to say we know the payroll industry has a fair amount of money moving in and out of systems, therefore we’re clearly a target.
Crypto adds complexity. We’re going to see what this moves down the road here, but crypto will certainly become more mainstream. We need to be aware of that and be mindful as we move forward. Your defenses must be layered. You have to have multifaceted authentication, anomaly detection, change protocols, awareness, education. It’s all there. Not one tool is going to solve this problem. Culture drives resilience. This is really, really important. One of the reasons I took the job here at iSolved was the fact that the leaders really wanted to address fraud prevention as something serious to do. They wanted to do something, not just to meet standards, they wanted to exceed standards. And so they’ve allowed me and really enabled me to build a program that is significantly different than a lot of other organizations that are out there. And then we’re looking at 2026 and beyond. Part of my role is understanding what fraud looks like, how it’s going to change and adapt and evolve, and then to be able to respond accordingly within a predictive mode versus a reactive mode, which is where a lot of objections sit back in a reactive mode.
So we’re always looking forward, forward, forward.
Jeff Plakans:
So big takeaway here?
Steve Lenderman:
Pretty simple.
Jeff Plakans:
Not if it’s going to hit the fan. It’s when it’s going to hit the fan. So the question is, are you protected? More importantly, have we at Commonwealth Payroll and HR and iSolved? Are we going to be there for you? Hell yes, we are. Our partnership together gives you the high level of security, protecting you, protecting your employees, making sure that you can focus on the things that you need to focus on, whether you make widgets or whether you sell widgets. We’re going to be there watching your backside, making sure that not only your employees get paid and that they’re happy, but that they’re protected.
So thank you guys for all of your time. We do have time for a few questions. My contact information, of course, any questions, give me a holler. Steve’s information is here as well. Please remember, and if nothing we talked about today was legal advice.
This is for informational purposes only. So please, I’m not a lawyer. Steve’s not a lawyer and we would never want to be one, but just to be sure. Now, let’s get into some of the questions. There was a good experience share, which then turned into a question. One of our folks who I know that we work very closely with was telling us a very low tech solution that’s a great solution, which was we’re small and may not be on anyone’s radar, but we’ve implemented a code word where any request that comes in by email or voice can be verified for asking for that code word. So that’s a great idea, Bravo, great low tech way to do it. You know what? That’s what we used to do back in the old days before we had all the other stuff. But maybe a quick description of what task keys are and why they’re more secure.
Steve Lenderman:
Yeah, absolutely. Just real quick, just because you’re small doesn’t mean you’re a target, the bad guys don’t discriminate. So that should not be a defense. Kudos to you all for doing that and moving forward. So what is a passkey? A passkey essentially is a passwordless authentication channel that allows the user to essentially bind something they have with something that they digitally use. And so think of your iPhone, your Android phone, for example. Those essentially are pas keys. We use a biometric, whether it was a finger or a picture, that device is bound to you, that biometric, which then buys the device. And that device then is also registered with the end user login page. And so you’re seeing these passkeys, you see passkeys also going to be established by scanning kind of a QR code, which then drops a token on your phone that you can then use to tie these two foots together.
There’s a thing called the FIDO Alliance, F-I-D-O, FIDO Alliance. It’s a group of the big players in the space, Google, Apple, Samsung, and a few others that are moved to pass keys. There is a significant movement by end of 2027, they want to be password list moved to pass keys. So if the opportunity presents itself to register any of your accounts, personal or business with a passkey, take the extra 30 seconds to do it because it’s going to save you not only time of logging in every time, but when it hits the fan, you don’t have to worry about fraud as much. These passkeys are essentially account takeover proof because there is no password in the wild. There is no token in the wild. It is all tokenized in the devices.
Jeff Plakans:
All right. Well, thank you, Steve. Just one last thought that many of you have employees that are very tech-savvy, and many of us have employees who are less than fully tech-savvy, and as a result, have a tendency to want as, I guess we’ll call it a quicker line of sight to getting into their accounts. And while that certainly can stop an employee from getting upset or annoyed with the technology that you’re asking them to use, but every bit of training that you give them protects not only the employee, but protects you as well because you’re going through the process of teaching them how to do the right things.
For providers of technology and security around that technology, one of the toughest things to deal with is the lowest common denominator, and that is that person that refuses to use a pass key because it’s just too much to think about or doesn’t like using an authenticator device because, well, I don’t want to download and go through that process, but I can assure you, and we’ve seen plenty of companies that have come to us who have been through a process like that, not as our clients, but with other companies and realize that they left the back door open for their lowest tech-savvy employees only to regret the work that they didn’t do later.
So I’ll leave you with that Thought there’s one more thing coming your way. Remember, we are going to send the slides. We’re going to send a recording. We’re going to send as well Steve’s top 10 list to help you protect yourselves.
Steve, thank you for your time today. Very much appreciated.
Steve Lenderman:
Thanks for having me. It was a lot of fun.
Jeff Plakans:
And just put one more link out there. Steve shared with us the FIDO Alliance, that’s in the chat. Put a couple links in the chat on that. Other than that, thank you for joining us today. Please, please do all the things that you can to help protect you and your employees. That’s why we do this, because happy customers and well-protected customers are also our best customers. So thanks guys. Have a wonderful afternoon. Enjoy.
Steve Lenderman:
Thank you.
TOP