The security threats faced by Giant Pay and Unified Payroll have sent shockwaves through the umbrella company marketplace. Thousands of contractors have failed to receive their hard-earned salaries, and a lack of communication has caused extreme frustration by those impacted. We sincerely hope everything is resolved shortly. Our thoughts are also with the affected staff at the umbrella companies – because they must be having a terrible time. Our latest blog is written for umbrella company employees and those considering using an umbrella company soon. We’ve collated some helpful advice for contractors to stay safe online when using an umbrella company.
What has recently happened in the umbrella company marketplace?
The umbrella company marketplace has recently been hit by a series of cyber-attacks and security breaches. FCSA accredited umbrella company Giant Pay were hit by a “sophisticated cyber-attack” in September 2021. And, another well-known umbrella company, Unified Payroll, also suffered concerns and admitted to a “security issue” with their bank account.
The security breaches caused chaos and resulted in thousands of contractors failing to be paid. As we write this article, the situations have not been fully resolved.
Our thoughts are with everyone at the affected companies and all umbrella company employees who have experienced issues receiving their pay. We hope everything is resolved satisfactorily as quickly as possible.
Ensure secure methods of uploading documents and signing paperwork are in place
When you join an umbrella company, you’ll need to provide personal information – either over the phone or by completing an online registration form. You’ll also need to provide proof of your identification and your right to work in the UK. It’s extremely important that you provide these pieces of information using a secure network – to ensure security threats are not possible.
Before you can be paid by an umbrella company, you will also be required to sign and return the Contract of Employment. There are leading pieces of software out there designed for the secure signing of PDF documentation. Please make sure the umbrella company uses a reliable software provider for the signing of paperwork – before you go ahead and use it.
Never open an email or click a link unless you’re certain it’s legitimate
Criminals are targetting umbrella company employees by posing as the umbrella company. It’s vital you only open an email if you’re sure it’s from the right point of contact at the umbrella company. If you have any doubts at all – contact the umbrella first – before opening anything.
Checking an email is secure can be complex. We recommend you check that the sender’s address is legitimate and that the URL matches the umbrella company’s URL.
If you’ve open an email and you suddenly doubt whether it’s genuine – don’t panic. Don’t click on any links, and don’t download any files. Delete the email and alert your umbrella company to the scam you suspect is targetting employees in your shoes.
Always raise any concerns with your umbrella company – as soon as they arise
If you ever have any queries or concerns regarding communication from your umbrella company – please get in touch with them immediately. Compliant umbrella companies exist to process payroll and will do everything they can to protect employees. However, if criminals find a way of targeting you for their gain – they won’t hesitate to try and trick you.
Should something unusual happen and you get an email or SMS that you think could be sent from fraudsters, your umbrella company will want to do everything possible to get to the bottom of it. Compliant umbrella companies want to protect their employees from unscrupulous activities from criminal third parties.
Understand how umbrella companies work
This is really important. Once you register with an umbrella company, the umbrella should have all the information they require from you. After that, all you’ll need to do is submit timesheets to get paid on time and compliantly. Should you ever get a request from an umbrella company to pay them or provide personal information they already have, alarm bells should be ringing.
Don’t transfer any money until you’ve received clarification from your umbrella
Making payments back to your umbrella company is not unheard of, but it’s certainly a rare requirement. There are circumstances where you could be overpaid – either due to an administrative mistake on the umbrella company’s part or due to other circumstances. If you need to pay back some money to your umbrella, we recommend ringing them beforehand and ensuring you have the correct information to hand. Never risk making a payment online without speaking with the umbrella first.
Additional tips to stay safe online
Here are some more tips to stay safe when online. These are not focused directly on engaging with an umbrella company, but they’ll come in handy to protect you when using your computer or device with an internet connection.
- Make sure your device(s) have reliable and up to date anti-virus software installed.
- Keep your identity hidden if that’s your preference. We’re talking about social media here. If you don’t want your posts to be public, ensure your accounts are set to private. While the social media platform will delete your posts – should you wish to remove them yourself, other third party sites may hold on to them forever.
- Ensure your internet is secure and only use a secure VPN connection. Public Wi-Fi is not a suitable internet source for exchanging personal information and making purchases etc.
- Do not download something unless you’re sure it’s safe. Many dodgy emails will include files that are disguised as being usual and familiar.
- Always ensure your passwords are complex and secure. Strong passwords will be long, use capitals and lower-case letters, use numbers, and have special characters (such as exclamation marks, etc.).
- Change your passwords frequently.
- Never share personal information unless you are 100% confident it’s with the right people. If you ever have any questions or concerns, contact the company directly – before sharing information.
- Only purchase goods from secure sites.
- Check your device has a firewall in place – an added layer of protection from viruses and scams.
The National Cyber Security Centre has a very helpful article that we recommend you check out: Dealing with suspicious emails and text messages.
What should contractors do if their umbrella company suffers a security breach?
If you’re using an umbrella company that experiences a security breach (possibly a data leak), here is what you should do.
- Ask the umbrella company what the breach is, including what’s happened and what they’re planning on doing about it.
- Check the umbrella has abided by GDPR law and alerted the Information Commissioners Office (ICO) within the required timeframe (usually 72 hours from being made aware of the breach).
- Identify which records have been breached.
- Seek advice from the umbrella company regarding how you should move forward. For example, if a bank card has been breached, do you need to contact your bank to cancel it?
- Contact the umbrella company’s Data Protection Officer (DPO) to seek further information and clarity over the situation.
- Follow the situation closely and visit the umbrella company’s website for updates. Don’t be afraid to seek external advice, possible from contractor-focused forums, etc.
Advice for recruitment professionals who engage with umbrella companies
If you represent a recruitment agency, you must be vigilant with your incoming communications from so-called umbrella companies. The recent issues within the industry (Giant Pay) seem to have arisen due to fraudulent companies targetting recruitment agencies pretending to be umbrella companies. These criminals are sending fake bank details to recruitment agencies pretending to be a partnered umbrella company. Even if only a handful of agencies fall for this malicious and fraudulent attempt to obtain large sums of money – innocent businesses and temporary employees risk financial ruin.
In a recent news article, the FCSA announced they had identified up to 10 members who had been targeted by cloning. What appears to have happened is criminals are creating new limited companies on Companies House – with very similar names to existing umbrella companies. They are then targetting recruitment agencies by providing “new” bank details, when in fact they’re looking to set up dodgy payments to criminally-owned bank accounts.
Phil Pluck, Chief Executive at the FCSA, said the following:
“I can only assume that this cloning activity is designed to persuade others to think that they are dealing with a legitimate partner and that there is a financial motive underlying this activity.
This is not just aimed at FCSA companies, and so I would advise any agency dealing with any partner company where money is transferred to agree on a clear transfer protocol with their partner and to treat with caution any approach that states that banking arrangements have been altered or bank accounts have changed and that funds should now be diverted to that account.
We live in a highly cynical cyber world where there are many attempts to steal money from innocent parties. Thanks to the detailed due diligence checks that we have in place at FCSA, we were able to alert FCSA members and their partners to this issue at the earliest possible moment.
Do you represent an umbrella company?
If you work for a compliant umbrella company – please help us out by commenting below. Do you have any advice for contractors, freelancers and recruitment professionals who engage with umbrella companies? All your thoughts are most appreciated, and we’ll update this blog with the comments we receive.
Top 10 umbrella companies
If you’re looking for an umbrella company you can trust – you’ve come to the right place! The umbrellacompanies.org.uk team has created a list of our top 10 umbrella companies – and they’re all accredited by either the Freelancer and Contractor Services Association (FCSA) or Professional Passport. And, some have special offers at the moment!