MyPayrollHR, a now defunct cloud-based payroll processing firm based in upstate New York, abruptly ceased operations this past week after stiffing employees at thousands of companies. The ongoing debacle, which allegedly involves malfeasance on the part of the payroll company’s CEO, resulted in countless people having money drained from their bank accounts and has left nearly $35 million worth of payroll and tax payments in legal limbo.
Unlike many stories here about cloud service providers being extorted by hackers for ransomware payouts, this snafu appears to have been something of an inside job. Nevertheless, it is a story worth telling, in part because much of the media coverage of this incident so far has been somewhat disjointed, but also because it should serve as a warning to other payroll providers about how quickly and massively things can go wrong when a trusted partner unexpectedly turns rogue.
Clifton Park, NY-based MyPayrollHR — a subsidiary of ValueWise Corp. — disclosed last week in a rather unceremonious message to some 4,000 clients that it would be shutting its virtual doors and that companies which relied upon it to process payroll payments should kindly look elsewhere for such services going forward.
This communique came after employees at companies that depend on MyPayrollHR to receive direct deposits of their bi-weekly payroll payments discovered their bank accounts were instead debited for the amounts they would normally expect to accrue in a given pay period.
To make matters worse, many of those employees found their accounts had been dinged for two payroll periods — a month’s worth of wages — leaving their bank accounts dangerously in the red.
The remainder of this post is a deep-dive into what we know so far about what transpired, and how such an occurrence might be prevented in the future for other payroll processing firms.
A $26 MILLION TEXT FILE
To understand what’s at stake here requires a basic primer on how most of us get paid, which is a surprisingly convoluted process. In a typical scenario, our employer works with at least one third party company to make sure that on every other Friday what we’re owed gets deposited into our bank account.
The company that handled that process for MyPayrollHR is a California firm called Cachet Financial Services. Every other week for more than 12 years, MyPayrollHR has submitted a file to Cachet that told it which employee accounts at which banks should be credited and by how much.
According to interviews with Cachet, the way the process worked ran something like this: MyPayrollHR would send a digital file documenting deposits made by each of these client companies which laid out the amounts owed to each clients’ employees. In turn, those funds from MyPayrollHR client firms then would be deposited into a settlement or holding account maintained by Cachet.
From there, Cachet would take those sums and disburse them into the bank accounts of people whose employers used MyPayrollHR to manage their bi-weekly payroll payments.
But according to Cachet, something odd happened with the instructions file MyPayrollHR submitted on the afternoon of Wednesday, Sept. 4 that had never before transpired: MyPayrollHR requested that all of its clients’ payroll dollars be sent not to Cachet’s holding account but instead to an account at Pioneer Savings Bank that was operated and controlled by MyPayrollHR.
The total amount of this mass payroll deposit was approximately $26 million. Wendy Slavkin, general counsel for Cachet, told KrebsOnSecurity that her client then inquired with Pioneer Savings about the wayward deposit and was told MyPayrollHR’s bank account had been frozen.
Nevertheless, the payroll file submitted by MyPayrollHR instructed financial institutions for its various clients to pull $26 million from Cachet’s holding account — even though the usual deposits from MyPayrollHR’s client banks had not been made.
REVERSING THE REVERSAL
In response, Cachet submitted a request to reverse that transaction. But according to Slavkin, that initial reversal request was improperly formatted, and so Cachet soon after submitted a correctly coded reversal request.
Financial institutions are supposed to ignore or reject payment instructions that don’t comport with precise formatting required by the National Automated Clearinghouse Association (NACHA), the not-for-profit organization that provides the backbone for the electronic movement of money in the United States. But Slavkin said a number of financial institutions ended up processing both reversal requests, meaning a fair number of employees at companies that use MyPayrollHR suddenly saw a month’s worth of payroll payments withdrawn from their bank accounts.
Dan L’Abbe, CEO of the San Francisco-based consultancy Granite Solutions Groupe, said the mix-up has been massively disruptive for his 250 employees.
“This caused a lot of chaos for employers, but employees were the ones really affected,” L’Abbe said. “This is all very unusual because we don’t even have the ability to take money out of our employee accounts.”
Slavkin said Cachet managed to reach the CEO of MyPayrollHR — Michael T. Mann — via phone on the evening of Sept. 4, and that Mann said he would would call back in a few minutes. According to Slavkin, Mann never returned the call. Not long after that, MyPayrollHR told clients that it was going out of business and that they should find someone else to handle their payroll.
In short order, many people hit by one or both payroll reversals took to Twitter and Facebook to vent their anger and bewilderment at Cachet and at MyPayrollHR. But Slavkin said Cachet ultimately decided to cancel the previous payment reversals, leaving Cachet on the hook for $26 million.
“What we have since done is reached out to 100+ receiving banks to have them reject both reversals,” Slavkin said. “So most — if not all — employees affected by this will in the next day or two have all their money back.”
THE VANISHING MANN
Cachet has since been in touch with the FBI and with federal prosecutors in New York, and Slavkin said both are now investigating MyPayrollHR and its CEO. On Monday, New York Governor Andrew Cuomo called on the state’s Department of Financial Services to investigate the company’s “sudden and disturbing shutdown.”
A tweet sent Sept. 11 by the FBI’s Albany field office.
The $26 million hit against Cachet wasn’t the only fraud apparently perpetrated by MyPayrollHR and/or its parent firm: According to Slavkin, the now defunct New York company also stiffed National Payment Corporation (NatPay) — the Florida-based firm which handles tax withholdings for MyPayrollHR clients — to the tune of more than $9 million.
In a statement provided to KrebsOnSecurity, NatPay said it was alerted late last week that the bank accounts of MyPayrollHR and one of its affiliated companies were frozen, and that the notification came after payment files were processed.
“NatPay was provided information that MyPayrollHR and Cloud Payroll may have been the victims of fraud committed by their holding company ValueWise, whose CEO and owner is Michael Mann,” NatPay said. “NatPay immediately put in place steps to manage the orderly process of recovering funds [and] has more than sufficient insurance to cover actions of attempted or real fraud.”
Requests for comment from different executives at both MyPayrollHR and its parent firm ValueWise Corp. went unanswered, and the latter’s Web site is now offline. Several erstwhile MyPayrollHR employees reached via LinkedIn said none of them had seen or heard from Mr. Mann in days.
Meanwhile, Granite Solutions Groupe CEO L’Abbe said some of his employees have seen their bank accounts credited back the money that was taken, while others are still waiting for those reversals to come through.
“It varies widely,” L’Abbe said. “Every bank processes differently, and everyone’s relationship with the bank is different. Others have absolutely no money right now and are having a helluva time with their bank believing this is all the result of fraud. Things are starting to settle down now, but a lot of employees are still in limbo with their bank.”
For its part, Cachet Financial says it will be looking at solutions to better detect when and if instructions from clients for funding its settlement accounts suddenly change.
“Our system is excellent at protecting against outside hackers,” Slavkin said. “But when it comes to something like this it takes everyone by complete surprise.”
I was shocked when I learned I could not prevent a debit from my accounts. I should be able to provide a white list of accounts that can debit mine. My payroll vendor would not be one of them.
My question exactly — what did the employees who get paid via MyPayrollHR do wrong?
You’re correct — the employees haven’t done anything wrong. It doesn’t matter that payroll was stolen, employers are still on the hook to make their employee whole. Hopefully, no businesses go under as a result.
Our banking system is so behind when it comes to basic security. Personally I think each bank should have a deposit account number and a withdrawal account number.
Given how far behind our banking systems are in terms of security, it’s a good thing that the value of the dollar isn’t wholly and completely derived from trust in exactly those systems. Oh, wait…
They would argue that they should… in case of an overpay mistake.
Yes, they would argue they should be able to debit in case of an overpayment mistake.
But if the banking industry stood up and said no, the payroll companies would just need to be a lot more careful about not making overpayment mistakes. And that wouldn’t be such a bad thing, honestly.
Then you would just be sued, most likely lose, and then have to pay attorneys fees.
No different than if a bank makes a deposit error into your account (i.e. money that isn’t yours) and you go spend it. You’re liable
Easy, they could just short the next paycheck to account for the overpayment. No need for withdrawal permissions. The only time that wouldn’t be possible is with an employee’s final paycheck. In that case, just have a manual review in place to make sure you get those numbers right.
I once found my checking account had about $33,000 extra on a Friday payday evening. It was gone Monday morning. Turned out some payroll clerk had entered an absolute dollar amount in the box for a stock purchase plan percentage amount.
I understood it, but it really surprised me that it could be legal or even possible. Ever since, I have transferred pay to a different account every payday, and the pay deposit account does not have overdraft protection. If they screw up, they have to tell me and wait for me to send it to them.
I agree with having separate deposit and withdrawal account numbers.
With overpays in the past, that was deducted from the next paycheck. So that is a VERY weak excuse.
At least for commercial accounts this possible though rare even then. We set up ecommerce payment processing for a client, and they had to whitelist the processing company to make withdrawals. (It was a new sales channel, so on a given day it was theoretically possible, if unlikely, that refunds would be greater than revenue.) However, we had to chase through several levels of support at the processing company to find the right ID number to whitelist because even though they set up tons of merchants every day, a number of their staff had never heard of a need to whitelist like that.
Usually, when you sign up for direct deposit, you have to sign a form giving your employer the right to debit your account in case of an error. If you don’t sign the form, you won’t be allowed to have direct deposit.
If you’re concerned, you could set up a separate account just to receive payment. You could then set up an automatic transfer of that money to another account. If you kept a minimal balance in the receiving account, you would be protected from large withdrawals. Of course, the bank may charge you for having a low balance.
I used to create these NACHA files and I know it’s very simple to steal money from someone else’s account.
So here is what I do to limit fraud… I have two savings accounts.
Account 1: For normal Savings
Account 2: Used just for my direct debit only.
I schedule a bi-weekly withdrawal from Account 2 to Account 1 the very next day.
I do this for these reasons
* in the NACHA files, the account numbers and routing numbers are in plain text, this means almost anyone at any of these companies can steal and initiate a simple ACH transfer to their personal account.
* if the transfer is reversed the next day my money is gone to another account (this does not guarantee that my Account 2 won’t go negative but at least I have a fighting chance)
These were not debits. They were credit reversals. The rules are different.
Personal accounts do not need debit protection. Personal accounts are protected by Regulation E (https://www.federalreserve.gov/supervisionreg/regecg.htm). If you receive an unauthorized debt on your account, go to your bank and fill out an affidavit. Your bank will file a claim to charge back the transaction to originating bank and it is the obligation of the originator to provide proof that the transaction was valid. In this case, it would not be a valid reason to debit the employees.
Wow…the epitome of an inside job, it would seem. Great reporting, Brian!
I read thru this a few times to piece it together but this paragraph thru me off.
“Nevertheless, the payroll file submitted by MyPayrollHR instructed financial institutions for its various clients to pull $26 million from Cachet’s holding account — even though the usual deposits from MyPayrollHR’s client banks had not been made.”
Would the following be more accurate?
“Nevertheless, the payroll file submitted by MyPayrollHR instructed financial institutions for its various >clients’ employees< to pull $26 million from Cachet’s holding account — even though the usual deposits from MyPayrollHR’s client banks had not been made.
As MyPayrollHR's clients would be the employees' employer. Right?
Do you know how to ask a question? Why did you include right by itself? Have you ever heard of did, why, how, is, etc.? Yeah right. Right?
@System360 – when you sign up for direct deposit the form usually gives your Payroll Provider permission to withdraw funds as well. This is supposed to only be used to withdraw fund accidentally deposited but sounds like there was a screw up.
Accurate.
To add, one company I had worked for also had it in the contract that if you owe the company money they could withdraw it at will. We found this out when one of the guys broke a vending machine, they removed the cost from his personal account that had direct deposit (20 years ago).
Personally, I have no direct deposit, and no online banking, a little paranoid, and safer than the average bear.
Legally in the US, that probably wasn’t ok. Doesn’t matter the contract if it isn’t legal. But the guy would have to fight it and pay lawyers.
Wonder if a business email scam was involved…with the sudden wiring transfer change up before this all went down?
Are you still wondering? Why did you end with a question mark?
“Our system is excellent at protecting against outside hackers,” Slavkin said. “But when it comes to something like this it takes everyone by complete surprise.”
^^Wow, whodathunk insider threats are real…? (insert eyeroll emoji right here –> )
Control frauds are not anomalies
I have the same question as Sullaya, these two statements about the procedure :
“In turn, those funds from MyPayrollHR client firms then would be deposited into a settlement or holding account maintained by Cachet.”
then later this staement about what happened this time:
“even though the usual deposits from MyPayrollHR’s client banks had not been made.”
If the deposits from the client companies had not been made , what was in the Cachet holding account to disperse?
I also couldn’t understand based on the wording of the article. This comment on Hackernews sums it up well enough https://news.ycombinator.com/item?id=20941960
Thanks! Makes more sense now…
Thank you for sharing the link
Thanks for the breakdown.
Thank you – the HN summary helped connect the dots. What a mess.
Basic “security” measures you must follow:
– an any account which is somehow exposed to 3rd party companies or have a debit card/checks should have a balance which you are Ok to loose/do not have access while an investigation is going on.
– add notifications (email, SMS, in an app) on any transfers which exceeds the value you are Ok to loose.
This is exactly why I have an account that is just for my payroll deposits which I then disperse to other accounts via banking automation. Good luck debiting a deposit only account 😛
It’s so cute that you believe your debit controls limit what your bank can ultimately process on that account.
Its so cute you don’t know what you’re talking about.
Bank A cannot withdraw from Bank B without written consent. You can have one-way transfers, that has been a thing in banking for a few decades.
I guess it’s a good thing we’re discussing a reversal request that was processed by the depositing institutions as detailed in the article then, isn’t it? That isn’t the same thing as a debit or a standard withdrawl.
Like I said: it’s cute to believe that having an account as “deposit only” somehow limits financial institutions from requesting and processing reversals as we see in this case.
Except in a case like this your direct deposit account would be overdrawn and you would be stuck with NSF charges.
In the mainstream media this is a footnote. Thank you Brian Krebs for this detailed article
My bank will charge me a fair amount of money to have a bank account if I do not have direct deposit. My utility providers will charge me a fair amount of money if I do not allow them to directly withdraw from my account. My insurance provider, my credit card company, my state DMV will all charge me a fair amount of money if I don’t let them withdraw money from my account when it is owed.
In principle, I don’t have a problem with the use of automation to move money, but it doesn’t seem like there are adequate protections in place to allow this to be a requirement of employment or of having a credit card.
If an employer chooses to use third party automation to pay employees and some harm occurs to the employee as a result, the employer should be liable for that harm. I know that’s not a popular position and I know that it would disadvantage small companies, but the only way to enforce good practices is to make the entity responsible for decision making liable for their decisions.
In this case, I also think that Cachet and the banks need to take some responsibility. Why would Cachet take a file that was obviously an anomaly and process it? Why would Cachet process a file without an independent authorization of the files authenticity? Why would any bank allow a company – even a reputable one – to “reverse a payment” without first identifying a corresponding payment to the identified account?
As a security professional, I have implemented plenty of systems that had the security controls necessary to protect against fraud. It’s not rocket science. It is deeply troubling to me that we have developed a status-quo process that is clearly lacking in control and as a matter of normal business practice force risk on people.
@Blee
I don’t know where you live but most of what you stated has never been true in my experience. Other than using direct deposit to receive funds from various employers, I have always avoided giving access to anyone else.
Utilities are paid monthly after I receive a bill using my bank account bill pay services. Ditto for almost everything else. A few places may want auto payment but I only allow that on a credit card and never from my bank account.
As someone else mentioned, it is best to minimize the funds in any account that someone else can credit/debit from. Once the money is credited to that account simply have it transferred to a separate account that the creditor/debtor cannot access.
These things happen very rarely but if you aren’t someone with multiple bank accounts and you lose access to needed cash then you may be in trouble for a period of time. I’ve always spread out my banking and investing accounts since things do happen.
“If an employer chooses to use third party automation to pay employees and some harm occurs to the employee as a result, the employer should be liable for that harm. I know that’s not a popular position and I know that it would disadvantage small companies, but the only way to enforce good practices is to make the entity responsible for decision making liable for their decisions.”
Ultimately, they do. If your employer owes you money and you don’t get it, it’s still your employer that owes you that money.
I live in the good old US of A. I’ve been a security professional for 20+ years. I’ve touched almost every aspect of Cyber Security at one point or another. My data has never been breached. I’ve never had my credit card data stolen or lost money to identity theft. That’s because I’m good at what I do.
Most people don’t have my skillset. I have an advantage in that I have practical experience, education and training in Cyber Security that allows me to make informed decisions and avoid risks in everyday life.
The point of my original post was that this is changing. I can’t possibly know who has my data. I can’t possibly know every third party of every service provider that I have. The conditions of everyday life don’t allow it anymore. And, if I am not feeling as though I can protect myself, how must someone who doesn’t have my skillset feel?
You all can quibble with the details of my original post – and if you feel secure living your life, congratulations – but don’t try and tell me that it’s all good, cause that’s crap.
Another good article , as usual !
“and how such an occurrence might be prevented in the future for other payroll processing firms.”
Did I miss something? I didn’t really read anything about HOW this might be prevented in the future.
“For its part, Cachet Financial says it will be looking at solutions to better detect when and if instructions from clients for funding its settlement accounts suddenly change.”
Cachet’s story should horrify any manager of ACH settlement risk (or any account manager of a client which is a payroll company) at a clearing bank. In addition to the obvious operational risk gaps, they also should have had an eye on the financial condition of their client. I am sure the full story has yet to come out. In discovery, someone will learn the extent to which Cachet performed regular due diligence on MyPayrollHR and whether its controls were up to snuff and followed. Cachet’s been here before: https://casetext.com/case/cachet-fin-servs-v-cj-assocs-inc
Please note MyPayrollHR’s tagline:
“We Make It Simple”
“We Make It Simple.” More like, “We Take it. Simple.”
Or perhaps “We Make It Simply Disappear.”
Well done Marsha.
Brian,
Did you see NACHA’s comment on the reversals. It looks like Cachet may be in trouble as well since there are specific rules governing the reversing of ACH transactions s (duplicate or erroneous file). This situation with mypayroll it appears is not a valid reason to process a reversal.
As someone who has formally done payroll and now does fraud I am “shocked” at how this could have happened. Any change from the norm involving that kind of money should have had several items to complete before processing the transaction.
The first would be confirm this with at least 2 people “verbally” from the company requesting the change.
Kudos at least to Cachet Financial for trying to make their mistake right for the employees without pay.
In your article, first you say the money is pushed and then you say it’s pulled.
Please clarify
> Cachet would take those sums and disburse them (PUSH) into the bank accounts of people whose employers used MyPayrollHR to manage their bi-weekly payroll payments.
> the payroll file submitted by MyPayrollHR instructed financial institutions for its various clients to pull (PULL) $26 million from Cachet’s holding account
Yikes! I can’t even begin to believe this story, yet I am sadly certain that it’s all true. I had expected that payroll clearinghouses like this would be watching for major variations in the processing request patterns, especially at an overall accounting level.
I’d have a client history ledger for each batch run – number of deposits/withdraws in each, total value of batch, and a running average of the last 10 batches run in value. A 5% variance in either direction (value or number of deposits/withdraws) deserves a cursory review, while a 10% variance would be worthy of an immediate auditor review.
Of course, that’s my opinion.
U need a Payroll company you can trust.
We use CHS PAYROLL already for 15 years and we never ever had a issue. They are always here for you.
Did MyPayrollHR’s client firms lose money? Is there a federal warrant out for the CEO Michael Mann?
It will be interesting to see how / if Mann actually was able to get money out of Pioneer Savings. Normally the built-in delays would make it impossible to turn around and wire out that quickly. Not to mention that it should have triggered serious fraud alarms at Pioneer Savings. After all, who routinely gets a $26 million lump and has to wire it out the same day?
Interestingly, Pioneer Savings Bank has a physical standalone branch in the parking lot adjacent to the MyPayrollHR offices. That is probably not a coincidence and makes it likely that whoever perpetrated the fraud (Mr Mann?) was actually working it’s Clifton Park office.
It’s more common than one might think. You see it in big real estate transactions where tens of millions of dollars are changing hands via attorney escrow accounts.
Here is something that makes me think, hmmm…I have only copied and pasted part of this – “But according to Cachet, something odd happened with the instructions file MyPayrollHR submitted on the afternoon of Wednesday, Sept. 4 that had never before transpired: MyPayrollHR requested that all of its clients’ payroll dollars be sent not to Cachet’s holding account but instead to an account at Pioneer Savings Bank that was operated and controlled by MyPayrollHR.” If the payroll request (regardless of where it was going) was sent on “SEP 4th” and that is for “every 2 weeks of payroll” Sep 4 -(next 2 weeks would be “Sep 15” SO WHY is Cachet reversing 2 weeks of checks, if the 15th wasn’t even requested for a submission? Is Cachet ALSO in on this scam? I can see Sep 4th being requested for pull (money) for the prior 2 weeks – but the next 2 weeks have not even been worked yet, for employees to get paid, so where would the 2nd reversal come from? Can someone explain this to me? Or, did I perhaps, turn on a lite, about Cachet?
Biweekly paychecks
The first withdrawal file had errors in it, and it should NOT have been processed. Cachet thought the banks wouldn’t process the first withdrawal file, because they aren’t supposed to process files with errors. So, to correct the mistake, Cachet sent a SECOND withdrawal file that was correctly formatted. The first file was processed at many institutions, though it shouldn’t have been. So, when the corrected file (second) file went through, many accounts were debited TWICE – the equivalent of a month’s pay (2 bi-monthly pay periods).
Remember this when the CFO of your company announces they’re outsourcing HR/Payroll to a previously unheard of payroll processor.
What this article leaves out as the fact that, for the 2nd transaction, cache artfully removed its own name as the merchant account and put in the name of our employer. That is way more than a little shady on the part of cache.
The other problem is that a number of people of stated they got a 3rd fradulent transaction against their accounts on Saturday come a to of my fellow employees at the company I work for had this happen to them after they did not freeze their accounts on Friday like I did. This is going to be a very tangled story in the end come I believe.
I always liked the TV series Miami Vice and also the movie version of Last of the Mohicans. So naturally, I’m shocked and dismayed to see Michael Mann involved in something like this.
🙂
A more high-tech version of Heat maybe?
Why did you use the question mark?
You need to use a reputable payroll company.
One that you can trust, because they have access to
So much banking info. I am grateful to be using New Green Payroll,
Because they are extremely trustworthy and compliant, and they are
Backed with famous CPA’s.
Why on earth would anyone trust a company called, wait for it, “mypayrollhr?”
Seriously…
Comment above mine, why would you trust someone like, wait for it, “New Green Payroll” to process your payroll.
What’s next, fantasticpayroll98.com?
Personally I’m looking forward to
HRMcPayrollface.com
Nah, AAAAAPayrollServices, gotta get first in the search listings and in the Yellow Pages!
So I’m just going to tell you the way it is.
First of all, this ordeal is exactly why I hate having money in digital form. This ordeal is a huge lesson. See how instantly your “money” can disappear? No joke, I even can’t stand having a store credit balance. I use it up right away and always keep my balances at zero. That way, nothing to lose. Digital money is terrifying. Cash in my hand is secure-ish (it all goes to iced coffee so).
You think a thing like this is bad? Try being separated from your phone. Whether you lose it or its stolen, and despite cloud backups, if you’re separated from your phone your digital being instantly momentarily dies. And it’s painful. It hurts.
One would presume at this point that the horrible ordeal is temporary. Problems will be fixed. You’ll be fine.
In the meantime, take it as a lesson and an opportunity. Electro-digital provides speed and convenience but comes with insecurity and serious risks.
Weld your phone to your arm and built a cash pocket into your phone. Practice telepathy and teleportation. You’re welcome.
I saw the IT structure on the clearance of payment among the banks
inside the Treasury. I just can’t believe how antiquated the system is and the database so old I have never heard. My opinion is these companies bribe some official to use the software so it nearly impossible to remove them without interrupting the entire banking process. So basically they can charge what they want -extort.
Every client company got what they deserve for outsourcing payroll and exposing private employee information, instead of hiring their own accountant and writing checks themselves. I hope many executives end up unemployed for this.