THE NEW COMPETITIVE EDGE: PEOS AND THE FIGHT FOR WORKFORCE INTEGRITY

Workforce compliance, a vital and complex function for new and small businesses, is facing a novel form of risk. While PEOs have long been the trusted experts in this space, a sophisticated cyber threat has emerged where organized criminals are leveraging a “phantom workforce” to infiltrate companies and divert millions of dollars.

Recent headlines, in which a single fraud ring generated $17M in illicit wages from 300 victim companies, are just the tipping point. Behind the scenes, long-standing and rapidly expanding schemes begin with fraudsters targeting US companies using stolen identities to obtain employment illegally—often blending real Social Security numbers with fabricated names and credentials. Once employed, these phantom workers launder paychecks back to their organizers, bypassing traditional controls.

New and smaller companies without dedicated security teams and financial reserves are especially vulnerable—a single incident can quickly balloon from financial loss to a battle for the company’s survival, creating costly legal and regulatory exposure. One in three SMBs faced a cyberattack in the past year, with average losses of $254K and some exceeding $7M, according to Microsoft’s Security SMB Vulnerabilities report. Luckily, PEOs are uniquely positioned to protect these businesses.

Managing workforce risk across hundreds or thousands of clients, PEOs have the scale, expertise, and technology to respond proactively.

REMOTE WORK AND DIGITAL ONBOARDING

While remote work and digital onboarding have brought unprecedented flexibility and reach to growing businesses, they have also created new entry points for fraud. Systems designed for in-person verification now handle candidates who may be continents away, making it harder to spot impostors.

For small businesses, the drive to fill roles quickly often means online hiring moves faster than security checks, leaving gaps that today’s cybercriminals know how to exploit. The result is a strategic vulnerability that opens the door to this phantom worker payroll fraud, demanding fresh approaches from PEOs and their clients. As more companies move to decentralized teams and remote-first models, these schemes have only proliferated.

THE SYNTHETIC WORKFORCE THREAT

Imagine running a small business and being strapped for time, trying to fill a critical IT or operations role. You post a remote job, receive impressive resumes, interview a U.S. candidate over video, and—without a physical office—hire the best fit whose documents check out. Months later, law enforcement arrives: more than $100,000 in payroll has been funneled overseas, IRS questions are piling up over stolen identities, and your company’s sensitive data is at risk. Only then do you discover your “employee” never existed—a pawn in a global, highly organized payroll fraud ring.

Government investigations confirm that thousands of North Korean IT workers are active in every state, using deepfake documents, “laptop farms,” and stolen credentials to impersonate U.S. employees and contractors. Experts highlight the scale: Up to 90% of U.S. tech job postings are estimated to encounter these actors as they blend into remote teams and pass digital checks.

Nation-state handlers pressure these workers, who are sometimes forced to meet quotas as high as $20,000 per month under threat of harsh punishment or forced labor. The national financial impact is staggering, with U.S. organizations losing more than $600 million so far.

Fraudulent hires are embedded, running regular schedules, appearing in Slack and project management tools, delivering plausible work output, and quietly siphoning funds for months. Most small and mid-sized employers, relying on fragmented onboarding or payroll systems, are unlikely to spot these anomalies before the damage is done.

That’s why PEOs matter more than ever. By integrating onboarding, payroll, compliance, and risk, PEOs centralize oversight and can detect patterns that would elude individual employers. When suspicious credentials or direct deposit changes appear, PEOs can investigate early, often preventing financial loss or regulatory disaster. Yet even for industry leaders, the threat persists: Paychex reports that about 10% of the 500,000 bank account change requests they review annually are flagged as fraudulent.

Fragmented, disconnected systems are a playground for sophisticated fraudsters—industry analysis confirms these actors thrive wherever payroll, HR, and banking systems don’t communicate. Centralized insight is the proactive shield companies need to confront the phantom workforce threat.

IS YOUR PEO READY TO LEAD?

PEOs can empower clients to take real action against payroll fraud. Ask these questions to assess whether your PEO is truly ready to seize the opportunity and deliver trust in the age of synthetic payroll risk:

System Integration & Cohesion

• Does our system connect payroll, HR, banking, and risk management for end-to-end visibility and control from onboarding to separation?
• Are red flags—like inconsistent employment data—shared instantly across departments and flagged for action?
• Do we maintain master records that allow us to monitor discrepancies throughout employment, not just at onboarding?

Transaction-Level & Independent Verifications

• Do we use transaction-level monitoring for anomalies in payroll or benefits, catching issues in real time rather than after the fact?
• Are independent, multi-factor identity and HRIS vs banking ownership checks required —not just at hire, but on every direct deposit change?
• Can our systems automatically flag and halt payments to suspicious accounts, such as those owned by unrelated entities?
• Are we verifying physical presence or work location when possible, and running extra checks for remote roles as recommended by consultants?

Other Enabling Actions

• Are clients and staff regularly educated about new fraud tactics, including recognizing urgent or unexpected requests for account changes?
• Are audit trails thorough and available for every payout action, enabling fast investigations and strong accountability?
• Do we continuously review and adapt our risk posture, positioning our PEO as a trusted security champion?

It’s worth noting that nearly half of the 300 companies affected by recent synthetic payroll attacks engaged hiring help through employment management services and platforms that failed to enforce workforce integrity. For PEOs, the opportunity is clear: taking decisive steps not only protects clients but also sets your firm apart from competitors as a proactive leader.