Corporate Tax Fraud Causes Billions in Fines for Business Owners

Recent Court Documents accuse Automatic Data Processing (ADP) of forging Department of Revenue tax documents, social security numbers and Pension Fraud. The accusations and claims come from one of their top Sales Reps.

Schwartz who broke numerous National Records at ADP, alleges ADP Reps are taught by their direct leaders how to fill out and sign Department of Revenue State Unemployment Applications on behalf of their clients.  ADP has over 600,000 small business clients and pays 1 in 6 Americans, so it’s no surprise that thousands of small business owners get Millions worth in penalties and fines from the Department of Revenue.

The DOR Unemployment Application also known as the DR1/RT6 determines what tax the business owner is responsible for and explains in detail the responsibilities and repercussions of the tax. The DR1/RT6 application these sales reps are signing are extremely important documents that are intended to be signed by the business owner and only the business owner.

Inside the DR1 Application it is pertinent that “whomever” fills out the form puts the correct addresses because this is where all important tax information and notices are sent.  ADP Reps are said to put in ADP Tax Services Address 400 West Covina Blvd, San Dimas CA 91773 because ADP is supposed to be responsible for handling all tax related issues.

Unfortunately, the business owner doesn’t even know this and if there happens to be a notice/fine/penalty or they leave ADP many times they don’t even receive the notice until much later. In turn, the penalty and interest stack up for the Business owner who is responsible for paying the fine.

Question is how they can be responsible for any such penalties, fines or notices when they didn’t even read, attest and sign they understand any of the responsibilities? Seems if ADP should be responsible for any fine, penalty since they “Attested they Understand” and then forged the business owners’ signature.

In Fact, the application states numerous times that you attest UNDER PERJURY you are the business owner and have read and understand all the responsibilities.

If you have been affected by this, you are encouraged to call your local Department of Revenue Office and ADP

To find your DOR number click here.

Automatic Data Processing – 1-844-227-5237

State Re-Employment Tax Fraud

Currently I work in the Financial and Real Estate Industry.  Recently I met a lady who had a very interesting thing happen to her.  Which sheds light on how people are affected by ADP’s Forging of Social Security Numbers. Gabriella who is my partners client divulged a very interesting story.

She has lived in Miami her whole life. She is a single mother of three children and also is on disability. She receives child support and benefits for both her and her children. One of her children is ill so she receives extra disability assistance.

ADP violations

Who and what is ADP?ADP (company) Automatic Data Processing, Inc., commonly known as ADP, is an American provider of human resources management software and services. As of 2010, ADP was one of four American companies to have a AAA credit rating from Standard & Poor’s (S&P) and Moody’s.

How does ADP make their money?

We pay roughly 1-6 working Americans. That’s over 26,000,000.

ADP makes money by holding the employer and employee taxes.

ADP Rewrites Payroll, Everything!

The ADP whistleblower, fired for standing up to illegal business practices at the payroll giant, launched, a website documenting the federal crimes he reported to the SEC and FINRA.

Posts from the new site are being shared across social media by thousands of angry ADP customers and employees, expressing their dissatisfaction with the company, and uniting around his message.

The first memo shared by the whistleblower — former top ADP national salesman David M. Schwartz — received more than 11,000 views by going viral on LinkedIn.

The social media campaign is directing angry customers to memos at about each area where ADP has ripped off customers or wronged employees.

Visitors can also join a database to document their grievances and to classify all the claims into 10 major categories.

On Twitter, @ADPFraud is going down the timeline to capture the thousands of angry comments posted there since 2009, plus retweeting up to a dozen new complaints that ADP receives each day.

Bless the heart of the ADP employee who has to answer this barrage of angry complaints and demands for better customer service. (There are also many web designers who chime in at @ADP to squawk about how badly its websites and apps are designed, as its paystubs can only be seen by using an old version of Internet Explorer.)

At an average of three complaints per day (and some days, it’s a dozen), that’s 10,000 posts against ADP made publicly by members of the social network, and each of those members are being invited to visit the website.

The hashtags #adpsucks or #adpfail and fun search strings “ADP and ‘the worst’” make identifying the class easy.

The Twitter campaign is highlighting verified “blue check” CEOs and celebrities griping about ADP’s bad customer service and infamously long wait lines, plus sharing articles about the whistleblower’s legal case against ADP.

ADP W-2 Breach a Perfect Example of ‘FlowJacking’

HR giant ADP, which provides payroll, tax and benefits administration for more than 640,000 companies, was hit hard by identity thieves this week. The perps made off with tax and salary data, according to a report from Brian Krebs—although the actual number of people affected has yet to be revealed.

The incident is an example of an increasingly sophisticated population of identity thieves, which uses complex, multi-stage attack vectors to get what they want.

Krebs explained that to access the information, the thieves used employee names from multiple firms to register accounts on an ADP external-facing web portal that employees can use to view their payroll information, including W-2s.

ADP Chief Security Officer Roland Cloutier explained that to create an account, users need to sign up using their name, social security number and date of birth—pretty basic information that can be easily lifted by skilled hackers. But to activate the account, users need a specific link and company code. The victim companies were the ones that published their signup link and code somewhere publically accessible.

“We viewed the code as an identification code, not as an authentication code, and we posted it to a Web site for the convenience of our employees so they could access their W-2 information,” said Dana Ripley, a spokesperson for one of the unfortunate victims, U.S. Bank. “We have discontinued that practice.”

Jennie Carlson, executive vice president of human resources at U.S. Bank, penned a letter to “a small population” of affected employees explaining the situation:

“Since April 19, 2016, we have been actively investigating a security incident with our W-2 provider, ADP…The incident originated because ADP offered an external online portal that has been exploited. For individuals who had never used the external portal, a registration had never been established. Criminals were able to take advantage of that situation to use confidential personal information from other sources to establish a registration in your name at ADP. Once the fraudulent registration was established, they were able to view or download your W-2.”

The personal information needed to open the account was not stolen from ADP, Cloutier stressed. But the tactic is an increasingly prevalent one, according to Carl Wright, EVP and general manager of TrapX Security.

“The attack on ADP by cyber thieves is an example of an increasingly sophisticated hack called a FlowJack,” he said via email. “Hackers can penetrate an organization and gain an understanding of the internal workflow and the necessary credentials to hijack target assets. This interception of critical workflow, or FlowJack, enables hackers to steal important data and then intercept and divert the flow of money—in this case, citizens’ tax refunds.”

Adam Levin, chairman and founder of IDT911, told Infosecurity that while ADP isn’t saying much about who the victims are, the overall number of people affected is likely to be significant.

“As ADP works with more than 640,000 companies, this may only be the tip of the iceberg,” he said. “W-2 data is a hot commodity for identity thieves because it contains the type of sensitive personal information necessary to file fraudulent federal and state tax returns for the purpose of securing tax refunds in the names of victims. This puts a huge bullseye on payroll and human resource companies like ADP that handle such a goldmine of personally identifiable information.”

How to Communicate the Value of Security Management to the Board

Before the threat of a cyberattack became a top concern for business leaders and board members alike, finance played a limited role in security management. Today, finance leaders increasingly find themselves part of the team responsible for developing and implementing their employers cybersecurity strategy. So why the change? Why do finance leaders now play such an important role in protecting organizations from the never-ending, and increasingly damaging stream of cyberattacks?

The reason is quite simple to appreciate, especially for those who have watched the finance department evolve from its role of corporate check-signer, to a critical department with a permanent position in the C-suite. By virtue of its role as corporate accountant, the finance department is often the only area within the organization that possesses a detailed view of the firm’s entire operations, warts and all. Therefore, since cybercriminals look for security gaps across the enterprise, finance’s detailed knowledge of the organization’s inherent strengths and weaknesses can help ensure the deployment of an effective cybersecurity program.

Educating the Boardroom on Security Management

This overarching view of the organization’s operations is just one reason why finance leaders continue to play a bigger role in stopping cyberattacks. Cybersecurity is complex topic with the potential to overwhelm board members, especially those with limited technical knowledge and experience. Since finance leaders distill and present complex financial data to the board on a regular basis, they often know how to deliver information in a way that builds trust and triggers action. When discussing cybersecurity-related topics, they can leverage their existing relationships with each board member, anticipate the types of objections individual directors might raise and consequently, present an insightful, detailed and compelling case to justify the investment in cybertechnology.

Further, given that finance leaders know where a firm’s critical assets reside within the corporate network, they can provide context for requests to invest in cybersecurity technology. Using layman’s terms, they can describe what a proposed technology investment will accomplish that the existing software and hardware is unable to do. They can explain to board members in specific terms why it’s important to invest in a next-generation firewall, for example, and how that software protects the firm’s critical assets.

Providing such context can make the difference between the board accepting or rejecting a request for an investment in technology. Without context, a CIO’s request for a more advanced firewall might fall on deaf ears if the board fails to understand the “why” driving the purchase decision. Finance leaders can also function in their traditional role by explaining the impact of any cybersecurity-related purchases on the organization’s existing budget and projected financial statements.

A New Era Creates a New Role for Finance Leaders

The rush to automate business transactions means that technology will play an increasingly larger role in how businesses operate as a whole. Unfortunately, the more technology that businesses embed within their operations, the greater the threat posed by cybercriminals. Finance leaders excel at the basic elements of their role, yet today, they must also help bridge the gap between the board and the IT department. In extreme examples, the ability of an organization to withstand a cyberattack and remain in business depends on it.

W-2 Phishing Scams Increasingly Target Payroll Personnel

The W-2 phishing scam often targets payroll and HR professionals. Learn how to prevent it and what to do if your data is compromised.

Often appearing to be from a corporate executive, it begins with a friendly “Are you working today?” email. But the W-2 phishing scam quickly escalates to a request for W-2 information.

What happens when fraudsters succeed? “Cybercriminals who successfully steal W-2 forms immediately attempt to monetize their thefts,” notes the IRS. “Criminals may immediately attempt to file fraudulent tax returns claiming a refund. Or, they may sell the data on the internet’s black market sites to others who file fraudulent tax returns or use the names and SSNs to create other crimes.”

Here’s what finance leaders need to know about avoiding W-2 phishing scams and limiting the damage if one should occur.


Any employee — especially in this case HR or payroll staff — who has access to sensitive information should receive regular training and updates on phishing scams and how to avoid them. The IRS notes, for example, that it “never initiates contact with taxpayers by email, text messages or social media channels to request personal or financial information. Any contact from the IRS will be in response to a contact initiated by you. Cybercriminals, when they learn of a new IRS process, often create false IRS websites and IRS impersonation emails.”

In addition, cybersecurity experts strongly recommend auditing and potentially reducing the number of employees with access to W-2 and other sensitive information. The more people with access, the greater the risk of falling victim to a scam.

Mitigating Losses

In the unfortunate event that employee information has been compromised, speed is of the essence. As soon as you believe that you may be a victim of a W-2 phishing scam, the IRS recommends emailing to alert them of a W-2 data loss. Putting “W-2 Data Loss” in the subject line will help ensure that the email ends up in the right place. In the email, make sure to include the following information:

Business name
Business employer identification number (EIN) associated with the data loss
Contact name
Contact phone number
Summary of how the data loss occurred
Volume of employees impacted
In the email, do not include any employee personally identifiable information.

Ready for Cybersecurity Awareness Month? Get Ahead With Our Top Five Tips

October is cybersecurity awareness month — and while organizations can never drop the ball on securing corporate networks, the end of summer is a great time to pause, take a deep breath and take a hard look at security processes currently in place. Is your business doing enough? Where can finance leaders improve? How can your organization stay ahead of threats?

From mitigating systemic threats to evaluating internal controls, reducing BYOD risk, boosting email security and educating employees on data safety, we’ve collected the top five tips to help enhance your security posture.

1. Stemming Systemic Financial Risk

As noted in Cybersecurity Attacks: The Rise of Systemic Financial Risk, the interconnectivity of modern organizations leads creates both tremendous opportunities for businesses and attackers alike. The result? Costs are on the rise with enterprises out almost $1 million per attack. More worrisome? Systemic, widespread threats such as popular POS compromises or “runaway algorithms” could have global repercussions. Staying safe means recognizing this new threat vector and implementing new security controls, such as cloud-based monitoring systems for automated algorithms that communicate with human IT personnel and ensure all third-party security expectations are clear and in writing.

2. Improving Internal Controls

Effective cybersecurity awareness demands solid review and testing, particularly when it comes to internal controls. As explained in Reevaluating Internal Controls for Financial Security, while permission-based controls are essential, organizations also need to stop and ask themselves why specific controls are in place. It’s also a good idea to regularly audit and test your control system for faults, then ask employees to “swap roles” for a day to get a fresh perspective — new users often see issues that staff using the system every day might overlook.

3. Mitigating BYOD Risk

Finance leaders can’t avoid BYOD, but they do need a reliable way to mitigate potential security risks. As noted by Mitigating Risk in BYOD Security, “corporate networks can be easily breached through lapses in BYOD security” and this risk is increasing as employee devices diversify. The solution? Start with reliable, cloud-based mobile device controls that let IT monitor connections, regulate downloads and wipe data at a distance if required. Just as important? A robust mobile management policy which clearly states expected employee conduct and potential consequences.

4. Evolving Email Security

Despite the rise of SMS and video conferencing, email remains the go-to corporate communications method. The problem? As noted by Leading the Charge: HR Managers and Employee Email Security, 30 percent of phishing emails are still opened by employees and more than 10 percent of staff click on suspicious links — putting entire networks at risk. Security here requires a dual effort: First, organizations need to leverage technology controls such as Transport Layer Security (TLS) and Domain-Based Message Authentication, Reporting and Conference (DMARC) to manage obvious attacks. Next, finance leaders should tap human resource professionals as “the ideal choice to design people-friendly training plans, which help staff recognize potential email scams and report any accidental opening or downloading.” Put simply? Tech solutions combined with “human firewalls” can help evolve email security efforts.

5. Educating Employees on Data Safety

Employees are also a feature in the effort to improve data safety. As the article 4 Methods to Enhance Data Security highlights— “data security begins with the employee.” But what does this look like in practice? First, staff must understand the value of their network credentials; passwords and login details should always be kept confidential. Next up is strong password creation. Consider: Bill Burr recently took back his advice on regularly changing passwords and ensuring they’re replete with numbers and symbols. Now, experts suggest that employees create strong passwords composed of phrases or concepts they’ll remember, and to only change these passwords in the event of a potential breach. Last but not least? Restrict access per-employee and across departments.

Cybersecurity awareness month offers the opportunity to take stock, evaluate current processes and make infosec improvements. Start strong — address systemic and BYOD risk, improve internal controls, evolve email access and educate employees to shore up corporate security.

Do You Have a Sexual Harassment Complaint Procedure in Place?

No business is invulnerable where sexual harassment in the workplace is concerned. Does your small business need a sexual harassment complaint procedure?

No business is invulnerable where sexual harassment in the workplace is concerned. Federal, as well as state and local laws prohibit workplace harassment. However, some laws apply to employers who meet certain employee thresholds.

However, even if small employers aren’t subject to anti-harassment rules, should they follow suit?

The short answer is yes. Just because your tight-knit business’s employee headcount doesn’t meet the threshold of anti-discrimination laws like Title VII of the Civil Rights Act (15 employees) or applicable state and local laws, it doesn’t mean that you and your business can’t be sued — or that harmful and inappropriate behavior can’t occur.

“It is still a best practice for a small business owner to have an effective anti-harassment policy in place,” advises Kristin LaRosa, senior counsel at ADP. “A company’s demonstrated commitment to an organization free from harassment or discrimination is the first step toward eliminating workplace harassment.”

Create a Policy

To be effective, your anti-harassment policy should expressly state your zero-tolerance stance toward harassment. Consider whether your policy will extend to non-employees such as third parties, clients, vendors, or contractors. Some state or local anti-harassment rules may even extend to such individuals

“The policy should provide clear examples of both physical and nonphysical prohibited conduct,” according to LaRosa. Prohibited physical conduct could be quid-pro-quo threats along the lines of, “If you don’t let me X, I’ll sabotage your work.” Nonphysical harassment creates a hostile work environment, for example telling crude sexual jokes to an unwilling listener or sending an offensive email or text message.

In your policy, clearly state that protections extend to not only sex-based harassment but to any other federal, state or locally recognized characteristic, including race, color, national origin, religion, disability and age. Also include a statement making it clear that if the policy is not followed, action up to and including termination may occur. As LaRosa warns, “Companies should emphasize [that] all complaints will be treated seriously and receive a prompt response and appropriate remedial action.”

Lastly, state that no one who raises a complaint or participates in investigations will experience retaliation. Your policy’s effectiveness will be severely limited if employees are afraid of using it.

Create a Procedure

Your sexual harassment complaint procedure, which should be included in the policy, starts with a complaint by either a victim of or a witness to harassment. Your complaint, investigation and resolution procedure should allow “employees to immediately report complaints and provide multiple avenues to raise the complaint,” advises LaRosa.

The procedure should:

Denote who receives complaints — for example human resources, supervisors, the C-suite or board members

Designate who conducts investigations, whether a well-trained internal investigator (traditionally HR conducts) or an independent outside investigator (especially when the accused is high-level), as long as they’re unbiased and unconnected with either party

Determine exactly what happened

Document every step from complaint to investigation to interviews and determination in a fact-centric way

The investigator should have “clear guidelines on how to assess the credibility of the complainant, alleged harasser and any witnesses,” notes LaRosa. “Once the investigator makes their recommendations, take any appropriate corrective action and advise the complainant that appropriate action was taken. Continue to follow up with the complainant to ensure that no further harassment has occurred.”

Take Action

Once your policy and procedure are written, implement them with training. It’s not simply best practice — in states like Maine, California, Connecticut and New York, it’s mandated. Ensure that leaders are trained not only on policy and procedure but also on how to prevent, identify and handle complaints. Have everyone sign off on the policy, indicating that they’ve read and understood it, and make that acknowledgment part of their files.

“Business owners cannot afford to bury their heads in the sand,” warns LaRosa. “They must constantly audit effectiveness of their policies and procedures to ensure all employees, including those in the C-suite and ‘star’ performers, are held accountable for their conduct.” Make modeling expected behavior and monitoring situations part of leaders’ jobs.

Big Data for Cost-Effective Expansion: What You Need to Know

When it comes to expanding into new locations, the first question is always, where? For the CHRO, the question may actually be who? While the rest of the C-suite may be scoping locations based on customer base or tax regulations, HR will be working to find the best talent in the best location for the best money. To get this done, you will want to consider big data for cost-effective expansion.

Choosing a Location Based on Revenue

The decisions surrounding new locations is never simple. For example, retailers and food franchises not only need to know where potential customers are, but where customers will be over the 10- to 25-year lifetime of the investment in new locations. But for HR, expanding to a new location goes beyond finding where the customers are.

Your organization may be using big data to identify the main components of existing effective locations and why they succeed, as well as locations most likely to pull in customers. For example, John Crouse, director of Wendy’s real estate services, told Fast Company that the restaurant chain came up with its own “urbanicity scheme,” using “GIS platforms to help break down which blocks in an urban downtown will have high foot traffic and similar factors.” Starbucks, on the other hand, uses data pertaining to “nearby retail clusters, public transportation stops, and neighborhood demographics” from their “in-house mapping and business intelligence platform” when evaluating new locations in China.

Once your location and potential customers are identified, how do you find the talent to fill positions in your new location? According to LinkedIn, you might want to start with the Bureau of Labor Statistics (BLS) to analyze metrics like unemployment rates in the area, to get a better sense of how many people may answer your ad and what kind of compensation they’ll be looking for.

Choosing a Location Based on Talent

If your organization is choosing a new location based on available talent, you’ll need to decide what elements are the most vital to your organization’s new office. The Corporate Executive Board (CEB) suggests that CHROs take the same approach to analyzing labor markets in new potential locations with fact-based analysis of talent demographics seeking answers to questions like: Which cities have the talent with the right skills? What are the hiring patterns in the cities of interest? What universities are or could be the most logical sources of future talent? How can the firm get the optimal talent at the best price? Where are competitors, partners and suppliers establishing talent skill hubs?

Those determinants need to be expressed in a number value. For instance, instead of stating that an important segment is a “strong labor market,” it should be expressed as the number of universities and colleges within 50 miles of the potential location.

Collect and Analyze the Data

The next step in using big data for cost-effective expansion involves collecting the data for each factor in each location. What are the tax rates in each location? What are average commute times? How many competitors are located near those locations? How many universities within 50 miles? When it comes to compensation and benefits, what is appropriate given local market averages?

It’s at this point that patterns and correlations in the data will become evident, and it can then be compared to benchmarking data from both GIS and human capital management (HCM) systems so that HR teams can analyze data in comparison to industry best practices.

Use Insights to Find New Locations That Match

Considering the large investments required to expand into new locations, organizations should make the most informed decisions possible. By correlating existing data and benchmarking data, CHROs gain insight that informs the best expansion decision possible for their organizations.