Become a fan of Slashdot on Facebook

 



Forgot your password?
typodupeerror
×
Businesses Technology

After Payroll Provider Collapses, Banks Drain Employee Accounts (techtarget.com) 105

dcblogs writes: MyPayRollHR, a payroll processing provider with about 4,000 small to mid-sized business customers, suddenly closed late last week. In response, the banking system went haywire and began taking funds from employees at many of these firms. Previously deposited pay was removed from their personal banking accounts, or 'reversed.' Not once, but twice and there are reports that these withdrawals happened continuously. The checking account of one employee of an animal rescue facility was pinged for nearly $1 million. Her account shows a negative $999,193.75.
This discussion has been archived. No new comments can be posted.

After Payroll Provider Collapses, Banks Drain Employee Accounts

Comments Filter:
  • by SuperKendall ( 25149 ) on Wednesday September 11, 2019 @03:37PM (#59182498)

    If they keep withdrawing enough surely they will reverse the sign bit on her balance and she'll have positive 10 bazillion dollars!

  • If you want to mess something up, hire a human to do it... If you want to make the same human error repeatedly, buy them a computer.

    Somebody hired a computer...

    Now they have billions of dollars.... Borrowed from hapless hard working folks a few million at a time..

    • Re:Computer error? (Score:5, Interesting)

      by OverlordQ ( 264228 ) on Wednesday September 11, 2019 @03:50PM (#59182566) Journal

      Human error

      The money is supposed to be moved out of an employer's account and into a holding account controlled by Cachet. Cachet then takes the money out of that account and distributes it to employees.

      But in the days prior to MyPayrollHR's shutdown, something went wrong at "virtually lightning speed" during that first step, Slavkin said. The system was tampered with electronically by an unknown party, she claimed, and the funds were never transferred into Cachet's holding account.

      "They manipulated the account, so that instead of the money going from the employer to our Cachet settlement account, it went into a different account that was controlled by MyPayrollHR — or Michael Mann, I assume, who is the principal," Slavkin said.

      • by msauve ( 701917 )
        That's just phase 1, and it's still a lame excuse. Why does their system distribute uncollected funds in the first place? And what about the repeated "reversals?" Who are they going to point that blame toward?
        • by Calydor ( 739835 )

          Unforeseen consequence.

          Cachet requests a reversal.
          Reversal happens but money is diverted away from Cachet.
          Cachet checks status, sees no transfer.
          Cachet requests a reversal.

          Etc.

        • When you deposit money in the bank, it is the banks money not yours. The bank is legally responsible for the money you give them, but you give the bank money and they own it, not you.
          That money in your checking and saving account, isn't sitting in a big money vault. But going out to loans to other people to buy cars, houses and start their own business. Where they pay back the loans with interest, this is how banks make a profit.

          CDs give you a higher interest because the bank holds on to the money longer w

      • by Anonymous Coward

        Fraud

        "They manipulated the account, so that instead of the money going from the employer to our Cachet settlement account, it went into a different account that was controlled by MyPayrollHR — or Michael Mann, I assume, who is the principal," Slavkin said.

        The company was probably insolvent, and one week "Michael Mann" decided to take the money and run to some tropical nation with no extradition treaty. Spending the rest of your days sipping Mai Tais on the beach (paid for with some other fool's money) sounds better than losing everything and begging for your old job back at BigCorp HR after your startup with a stupid name fails...

      • by matthewd ( 59896 )

        I still not clear on how this could happen as described. Our software generates ACH files for direct deposit, and the files contain either only one transaction record for each employees pay amount and their bank account #/routing # or those transactions and a balancing transaction with the company's account # to deduct the funds from. Not all banks required the balancing entry as the ACH file is uploaded typically through a secure web portal and some banks have other means for the customer to designate wh

        • by matthewd ( 59896 )

          The KrebsOnSecurity article explains it. It appears MyPayrollHR submits two ACH files, one that is supposed to transfer total direct deposit funds paid for each client into Cachet's holding account and one that transfers the individual amounts for each employee from the holding account to the employee's bank accounts. Money never moves directly from the employer bank account to the employees' bank accounts.
          Cachet processed a file that moved client money to an account controlled by MyPayrollHR rather than

  • by Kaenneth ( 82978 ) on Wednesday September 11, 2019 @03:43PM (#59182526) Journal

    This is Good for Bitcoin.

    • by gweihir ( 88907 )

      This is Good for Bitcoin.

      You mean because there are obviously extreme idiots are work? Sure. The more idiots the temporarily better Bitcoin (and any other pyramid schemes) do.

      • by jythie ( 914043 )
        To be fair, this is a type of trust problem BTC is actually pretty good at. One of the reasons this got so messy was the lack of a common ledger and reversals just piling up. With BTC you can either transfer or not, and since transfers are push only there is no way to pull back out of the receiving account without the account owner's action.
        • by gweihir ( 88907 )

          Assuming good performance, privacy and low transaction fees, maybe. There is a reason transfers are reversible in traditional banking. Although AFAIK, 4 weeks are the assured limit and usually banks do it by convention up to 6 weeks after the transfer, but not longer. Something must have really gone wrong here if earlier transactions were reversed. At least in Europe, the receiving bank becomes liable if they agree to reverse older transactions. Of course, transactions that were fraudulent are something el

    • Also equally so for Monopoly money.
  • Sorry for those affected. Dealing with banking/financial stress is horrible.

    Seems the future is wide open for entrepreneurs to set up payroll-processing operations that pay with Bitcoin etc.

    • Hey, sound like the Bitcoin Nutters have arrived!

    • Sorry for those affected. Dealing with banking/financial stress is horrible.

      Seems the future is wide open for entrepreneurs to set up payroll-processing operations that pay with Bitcoin etc.

      So you're saying that appealing and reversing an erroneous BC transaction is easier than arguing with a branch manager at your local bank? What's that process, exactly?

      • Don't talk to anyone. Just sue. Immediately and for a *lot* of damages. The Bank has lots of money to pay the outside lawyers to defend, or if they know what is good for them you will just offer to settle immediately since they haven't a leg to stand on.

        • Exactly. The banks need motivation to fix their systems. Arguing with the manager at the local bank is a waste of time.

          • by myid ( 3783581 )

            Arguing with the manager at the local bank is a waste of time.

            Not necessarily. Once I got a bank loan for a car I'd bought. The bank kept sending me letters telling me that I had to buy insurance for the car, or else the bank would buy the insurance and charge me for it. I kept telling the bank that I had insurance, but I kept getting the letters.

            Finally I went to a branch of that bank, and talked with a manager (I think the manager of the entire branch). I showed him proof that I had car insurance. I told him that he needed to change my bank records to indicate that

        • Did the bank do anything wrong? You've given them authorization to accept deposits and withdrawals from your employer or their payroll system. A valid request (as far as they know) comes in. They honor it. Much like if you sign a check and give it to someone to fill out - is it the bank's fault they honor your legal request (signed check) to pay John Doe $150,000?
          • by CanadianMacFan ( 1900244 ) on Wednesday September 11, 2019 @06:30PM (#59183330)

            They gave the bank permission for the payroll company to deposit the funds. The first time a cancellation request came the bank was right, at least from the bank's standpoint, to honour it, assuming that the transaction had not already cleared through the system. Any subsequent cancellation requests for the same transaction had to be rejected by the bank because the transaction was already cancelled. The bank is at fault for repeatedly taking out funds for the same transaction, or for cancelling cleared transactions for which the funds were received (if multiple pay periods were cancelled).

          • Did the bank do anything wrong?

            No. Years back I looked closely at the banking terms of service. Buried in them was the line: "The bank is not liable for any errors including their own."

            I believe the clause is still in most bank accounts, but the wording has been changed to make it less obvious.

            Since then, I have seen situations with printed evidence (the original check). The bank never does anything wrong. There is even a new scam against small businesses. With the advent of cell-phone based check d

          • by Cederic ( 9623 ) on Thursday September 12, 2019 @06:00AM (#59184694) Journal

            Did the bank do anything wrong?

            Yes.

            You've given them authorization to accept deposits and withdrawals from your employer or their payroll system

            No. I've never seen or heard of anybody giving their employer permission to make withdrawals.

            A valid request (as far as they know) comes in

            Withdrawing a million dollars from an account with an average balance of a few hundred and a current balance of a few hundred is very obviously not a valid request.

    • Funny, I just use my bank to send money to my employees. My bookkeeper updates the amounts, does the calcs to determine how much to also send to the city, State, and Federal Government, and away it all goes. No "special processor" needed, as the vast amount of work happens automatically within Quickbooks - but the banking/sending of money is handled internally, for about $10 in labor, each month.
  • by 110010001000 ( 697113 ) on Wednesday September 11, 2019 @03:46PM (#59182542) Homepage Journal

    It drained my entire account of the equivalent of a years' pay. $50,000 in IT in San Jose. At least I get a Christmas bonus.

  • Were these .... (Score:4, Insightful)

    by PPH ( 736903 ) on Wednesday September 11, 2019 @03:54PM (#59182596)

    ... direct deposit accounts?

    This is why I prefer a printed check. The rules are pretty clear about check deposits. Once the funds have cleared, they are in my account. I grant no one permission to put funds in automatically, because I suspect that there is something in the fine print which allows them to pull them back out. Computer goes nuts and this happens.

    • by bill_mcgonigle ( 4333 ) * on Wednesday September 11, 2019 @04:02PM (#59182634) Homepage Journal

      Never let anybody do ACH to your primary store of value account(s). If you get direct deposit, set up an automatic transfer that moves your payroll amount to a different account the same day. Goes double for Paypal. Ideally this goes to another bank. Tell your bank(s) to not honor overdrafts (if they will).

      When something goes wrong, let the corporations be the ones holding the bag - they're all too happy to have it be you.

      • Never let anybody do ACH to your primary store of value account(s). If you get direct deposit, set up an automatic transfer that moves your payroll amount to a different account the same day.

        Problem is, all those bank fees add up and end up costing quite a bit, especially when you consider that you generally have to pay a fee at both ends when transferring money from one bank to another. EFT fees are very steep.

        • Must suck to live in a third world country.

          Private bank transfers are cost free in the EU ...

          • ... not between different banks...
            • by Lorens ( 597774 )

              Yes they are... in most banks, at least. Actually I have one bank account that is a net gain for me, because I get a smallish percentage back on direct debit bills (basically utilities), and the fees for everything I usually do (credit card paid off end of month after my salary comes in, debit card, www and app access, national and international SEPA transfers [wikipedia.org]) are zero.

        • Transfers between accounts at the same bank are typically free; I do as the GP suggests, and payments are made into one account and immediately sent to another account (one way only). Done. And free. Likewise, sweep your PayPal into the same receiving account (which is free, if you wish to take a day) and you're done. Heck, with Zelle, you can send up to $50K/month for free, to another account. If you need to do it overseas, TransferWise is about the cheapest you'll find, being around 0.07% for the fee
      • They can still revers the ACH for something like 90 days, including reversing the transfer to your other account it funded.

        The principle is that if a mistake is made, everybody can go back and rewrite history for a time. Last I heard, this was good for 90 days. It's also true for stock transactions. They don't really settle for a day or so after they are made, so if any recording errors or frauds can be rolled back and corrected.

      • Replace the word "bank" with "credit union", and I agree completely.
    • Re:Were these .... (Score:4, Interesting)

      by bobbied ( 2522392 ) on Wednesday September 11, 2019 @04:15PM (#59182710)

      ... direct deposit accounts?

      This is why I prefer a printed check. The rules are pretty clear about check deposits. Once the funds have cleared, they are in my account. I grant no one permission to put funds in automatically, because I suspect that there is something in the fine print which allows them to pull them back out. Computer goes nuts and this happens.

      Electronic payments can be reversed for up to 90 days. I found this out two decades ago when I was buying a house using funds my employer had deposited into may checking account to cover parts of the transaction costs. The closing company wouldn't accept my personal check and the bank wouldn't issue a casher's check or cash for 90 days. Messed up the closing and really ticked me off... But if you think about it, it kind of makes sense that ACH transactions should be reversible if made in error.. Just like a bad check will be reversed if it's found to be unfunded.

      • If there isn't any money in the account, then why even allow the transfer in the first place?
        • by Corbets ( 169101 )

          If there isn't any money in the account, then why even allow the transfer in the first place?

          Because that’s not the only reason a transaction can be reversed. Fraud, for example, is a common reason why banks rescind transactions.

      • by LubosD ( 909058 )
        "Electronic payments can be reversed for up to 90 days"

        I had no idea this existed in the US. I cannot imagine having such a "feature" in Europe.

    • by jythie ( 914043 )
      Unfortunately, this is not actually true. There is a whole class of scams that involve getting people to cash bad checks that only get reversed days or weeks later.
    • The story above is about criminals withdrawing funds.

      Does not matter if you got the money into your account by a "wire transfer" or via a check ... they would withdraw it anyway illegally.

    • ACH let's them take more then they put in and they can then hit you with overdraft fees

    • by dacut ( 243842 )
      Except many banks nowadays will take the check and convert it to an ACH because it's cheaper for them. Paper checks don't mean anything now.
  • by Anonymous Coward on Wednesday September 11, 2019 @03:59PM (#59182616)

    I don't understand why there are so many layers involved in cutting someone a paycheck. An employer hires MyPayrollHR to do their payroll, except apparently MyPayrollHR isn't capable of actually moving money (you know...the specific thing they're hired to do) so they contract that out to some other company; but that third company can't figure out how to collect payroll taxes, so that's outsourced to yet another provider who's skimming off the top, and suddenly there are 10 different companies touching your employees' money and 10 different places to fuck it all up and 10 different middlemen sucking money out of your company.

    This whole process is fucking stupid.

    • Welcome to the modern technology driven world where even your paycheck is outsourced :D
      • Welcome to the modern technology driven world where even your paycheck is outsourced :D

        Payroll is one of the very first things that most companies outsource. Running a payroll is very time consuming and complicated, and there are steep penalties for getting it wrong.

        • by nukenerd ( 172703 ) on Wednesday September 11, 2019 @04:40PM (#59182860)

          Payroll is one of the very first things that most companies outsource. Running a payroll is very time consuming and complicated, and there are steep penalties for getting it wrong.

          So we should see some steep penalties here, yes?

          • So we should see some steep penalties here, yes?

            Theoretically, yes. The trick will be finding those responsible and money connected to those responsible so that those penalties can actually be enforced. That gets a lot harder when provider has gone down the rabbit hole. Their best hope may be trying to hang responsbility on their actual employers who are still in business, because they hired the provider. As usual, the real winners will be the lawyers.

            • by matthewd ( 59896 )

              I've read several articles where the employers have already taken steps to make employees whole. I think the law normally provides some room for human error/circumstances beyond the employers control if the employer has already taken steps to correct the situation.
              For now I think a lot of employers may be out the money for one week of payroll for a while. They'll also have to make up the payroll tax deposits if those have disappeared as well.

          • by tlhIngan ( 30335 )

            Payroll is one of the very first things that most companies outsource. Running a payroll is very time consuming and complicated, and there are steep penalties for getting it wrong.

            So we should see some steep penalties here, yes?

            Steep penalties apply to the company doing the payroll. As in they didn't deduct enough off your pay to cover taxes or missed a deduction etc. Then there's the tax slips that have to be created and sent out which accurately reflect what you earned. Add in stock purchase plans, retire

          • Indeed. We should bankrupt and close the payroll provider...

        • A majority of small companies use Intuit's Quickbooks, and their payroll calcs come with a guarantee that, if they are wrong, Intuit pays all fees and fines to the IRS and other State/local agencies. They get it right - you just have to type in the right stuff up-front (like where your employee works, where they reside, what their salary is, and enter their W-4 information). Do it once, done. No sweat - if it's wrong, Intuit pays, not you.
      • We use Quickbooks to do the calculations, then use Zelle to pay employees. All handled internally by the bookkeeper in about 15 minutes every two weeks... It doesn't have to be complex at all, but there is a ton of advertising and push to make it seem "scary" so you will pay $30+ per month for someone else to do what you already have the capability to do.
    • I agree, it's stupid.. It's also very insecure..

      Literally anybody who has access to the network that does this can dump a file of transactions into it. There is little in the way of security here. If we trust you, we trust you. So when a previously trusted user puts in their transactions, who's going to know the account numbers are different than yesterday, flag the transactions as suspicious and not accept them? Account numbers are always changing.

  • by Pascoea ( 968200 ) on Wednesday September 11, 2019 @04:03PM (#59182642)
    Tough to tell if this is an honest foul-up or someone intentionally stealing cash. Either way, ugly situation.
    • Given what happened... It sure looks suspicious. It *could* be a mistake, but it sure smells like fraud to me.

      The normal process moves money though three accounts. The employer's, the Company handling the Paychecks and the employee.

      What happened is the Employer to Processing Company transfer was redirected to a different account, but the employees where paid out of the normal Processing company account (which apparently had enough funds to cover). The second set of transactions where reversed, once with

      • by Pascoea ( 968200 )
        Krebs posted a better article. Sure seems to me that it's a bad actor. The owner of the parent company was the CEO, and is nowhere to be found.
    • by dacut ( 243842 )

      Reading the articles, it's both. The constant reversals are honest (well, as honest as our banking system can be) foul-ups. Batch processes run amok, using input with errors from people at a bank (Cachet) trying to undo fraudulent transactions.

      The fraudulent transactions came from MyPayrollHR, who gave Cachet instructions to move money from employer's accounts to a MyPayrollHR-controlled account instead of a Cachet holding account, then instructed them to move money from the Cachet holding account to the em

  • by Fly Swatter ( 30498 ) on Wednesday September 11, 2019 @04:06PM (#59182662) Homepage
    But this is why I still prefer checks with a paper trail. Automated movement of numbers over a network is great until it isn't. If you must use direct deposit or payments, keep it in a second account that can't touch your main savings acount.
    • by bobbied ( 2522392 ) on Wednesday September 11, 2019 @04:40PM (#59182856)

      LOL.. You DO realize that they don't keep the paper anymore right?

      Pretty much every check is cleared and paid by ACH transactions anyway. The actual check is usually destroyed after it's scanned. Where they used to return the check to the writer, that is rarely done anymore. It was too expensive. Now they scan the check, convert it to a ACH and post the transaction. They get their money faster and it costs lest for the banks.

    • But this is why I still prefer checks with a paper trail. Automated movement of numbers over a network is great until it isn't.

      Wait what? You prefer a system that gives you no indication of whether you actually have money other than a pinkie promise written on a piece of paper over a system that actually gives you that money directly the very moment you are issued it?

      You'd have to be mad to voluntarily be on the receiving end of a check.

  • Better article (Score:4, Informative)

    by Pascoea ( 968200 ) on Wednesday September 11, 2019 @04:08PM (#59182670)
    Krebs has some better info: https://krebsonsecurity.com/20... [krebsonsecurity.com]
  • Payroll Reimagined

    (hey if it works for an essentially automated bank, maybe it will work for payroll... take a "frown" and turn it upside down)
  • by aaronb1138 ( 2035478 ) on Wednesday September 11, 2019 @04:28PM (#59182788)
    Peter Gibbons: [Explaining the plan] Alright so when the sub routine compounds the interest it uses all these extra decimal places that just get rounded off. So we simplified the whole thing, we rounded them all down, drop the remainder into an account we opened.
    Joanna: [Confused] So you're stealing?
    Peter Gibbons: Ah no, you don't understand. It's very complicated. It's uh it's aggregate, so I'm talking about fractions of a penny here. And over time they add up to a lot.
    Joanna: Oh okay. So you're gonna be making a lot of money, right?
    Peter Gibbons: Yeah.
    Joanna: Right. It's not yours?
    Peter Gibbons: Well it becomes ours.
    Joanna: How is that not stealing?
    Peter Gibbons: [pauses] I don't think I'm explaining this very well.
    Joanna: Okay.
    Peter Gibbons: Um... the 7-11. You take a penny from the tray, right?
    Joanna: From the cripple children?
    Peter Gibbons: No that's the jar. I'm talking about the tray. You know the pennies that are for everybody?
    Joanna: Oh, for everybody. Okay.
    Peter Gibbons: Well those are whole pennies, right? I'm just talking about fractions of a penny here. But we do it from a much bigger tray and we do it a couple a million times.
  • by dltaylor ( 7510 ) on Wednesday September 11, 2019 @04:49PM (#59182914)

    I had an employer that insisted on distributing expense reimbursement by direct deposit, even though we could have actual paychecks. I created a separate account for that, specifically for this kind of idiocy. Once deposited, I moved the money to my regular account.

    I do the same thing for PayPal. Rather than tie it to a credit card, I have a PayPal account into which I transfer enough to cover anticipated expenses. Should there be some sort of error/hack/..., all that can be taken is that amount.

    • by shess ( 31691 )

      If the separate account is at the same bank, I wouldn't trust this technique to protect you in any way. When the unwind happens and fails, someone at the bank will look at what's up and helpfully "fix" it. Remember, they aren't representing you, they are working for the bank, and the banks work together by default.

      If the separate account is at a distinct bank, there's a chance - possibly they'll just initiate a chain of unwound deposits, but possibly someone will decide to question the original unwind req

  • The checking account of one employee of an animal rescue facility was pinged for nearly $1 million.

    The term you're looking for is dinged [wiktionary.org]. See verb definition 5:

    (transitive, colloquial) To deduct, as points, from another, in the manner of a penalty; to penalize. My bank dinged me three bucks for using their competitor's ATM.

    Sincerely,
    Your Friendly Neighborhood Pedant.

  • Fail to pay can = jail so your office better fix it fast or the boss can endup in lock up.

  • This is why I got REALLY pissed when my ex-employer automatically signed me up for a payroll deposit with another bank without my permission. It supposedly wouldn't go active until I called up and confirmed I wanted the account, but there's always something that could go wrong.

    On the plus side, my ex's stock price is now worth 1/14th what it was when I quit a few years ago.

  • Here in .nl, bank accounts have a debit limit. When you're at the limit, you can't withdraw any more. My bank sets the limit at 0 by default (the account owner can change it online if necessary). Being able to withdraw $1M from an account that's never held that much sounds like a recipe for disaster.

  • Thanks for the useless 5 sentence summary Slashdot... there's WAY more to the story. This was part of a massive fraud operation by Michael Mann, the CEO of MyPayRollHR. Check out the article from Kreb's on Security [krebsonsecurity.com] for more details.

No spitting on the Bus! Thank you, The Mgt.

Working...