The government is facing renewed calls to pick up the pace on pushing through statutory regulation for payroll processing firms, in the wake of a series of cyber attacks against umbrella companies that left thousands of workers across the UK struggling to pay their bills.
Umbrella companies process the payroll for large numbers of contractors that provide their services via an employment agency to end-clients in the private or public sector.
This creates a labour supply chain through which a sum of money will pass from the end-client to the agency, and then on to the umbrella company and – finally – the contractor.
The Low Incomes Tax Reform Group says there are about 500 umbrella companies in operation across the UK, employing at least 600,000 freelance workers and contractors on behalf of 40,000 employment agencies.
It is difficult to say with any degree of accuracy just how much money passes between all these entities during a typical contractor payday cycle, but it is certainly a sizeable enough amount to have captured the attention of the cyber criminal community.
Several of the umbrella industry’s biggest players – Giant Group, Parasol and Brookson Group – have been the target of cyber attacks in recent months, causing untold disruption to the payday cycles of the thousands of contractors they employ.
All three attacks saw the firms involved proactively disable their external-facing systems to contain the damage caused for several days afterwards, delaying salary payments to contractors, while making it difficult for them to get in direct contact with the affected companies.
While none of these firms had, at the time of writing, confirmed the nature of the cyber attacks that blighted their systems, cyber security experts have suggested in all cases that ransomware may have been involved.
This is on the basis of how long it took each company to bounce back from the attacks and become fully operational again, as well as the wide range of systems that were taken offline during the incidents.
“The umbrellas that have come under attack so far are among the biggest players in the market, and that’s not really surprising because there’s no point attacking a smaller umbrella because the attackers are just not going to make the money from it,” said a source with close working knowledge of the umbrella market.
“The fact that it’s gone Giant, Parasol and Brookson so far means there are other companies out there that I think will be looking closely at their systems and trying to understand what’s happened and how they can try to prevent becoming the next victim because there is every chance this will happen again.”
The source added: “I know companies outside of our sector that have been hit by ransomware that don’t have the complexity of payroll receiving and paying money in the same way that umbrellas do. It’s just a complete nightmare because it just wipes out and locks all their systems. It’s not a position any company, let alone an umbrella, wants to find themselves in.”
On that point, the National Cyber Security Centre (NCSC) said in its annual report, in November 2021, that ransomware attacks are now the most “immediate” and “significant” cyber security threat to UK businesses, with increases in both the scale and severity of attacks in recent months.
Copycat attacks and identity theft
Apart from suspected ransomware attacks, the industry has also been targeted by fraudsters who clone umbrella companies in the hope of extracting payment from employment agencies and end-clients.
In these attacks, the perpetrators have sought to infiltrate and divert funds from the end-client-to-contractor labour supply chain by imitating and trying to pass themselves off as reputable umbrella companies.
“That’s a completely different kettle of fish to the other type of attacks we’ve seen recently within the umbrella sector, but they can still have huge financial implications for the companies that get targeted,” said the umbrella market source.
These types of attack all follow a similar pattern, whereby a new company is registered with Companies House that has a similar name to an existing umbrella firm, effectively creating a clone of that company.
Individuals working for this clone will then contact employment agencies and end-clients and try to pass themselves off as working for the company they are imitating.
Typically, this contact will include a notification that the umbrella company being spoofed has changed its banking details, and all future invoices should be paid into a new bank account.
“If the copycat company successfully manages to dupe an agency in this way, that could result in a whole week’s worth of wages – that are supposed to be paid to contractors – going missing,” said the source. “Where some of the big umbrella companies are concerned, we could be talking about millions of pounds going walkabout.”
The Freelancer and Contractor Service Association (FCSA), which counts Giant, Parasol and Brookson as members, issued a warning in September 2021 to the extended contractor labour supply chain about the problem of company clones. This was after it discovered at least 10 of the umbrella companies that make up its membership had fallen victim to the practice.
After this discovery, the FCSA urged employment agencies to tread carefully when receiving requests from umbrella companies about changes to their contact or banking details.
“We would advise any agency dealing with any partner company, where money is transferred, to agree on a clear transfer protocol with their partner and to treat with caution any approach that states that banking arrangements have been altered or bank accounts have changed and that funds should now be diverted to that account,” the FCSA said in a statement at the time.
Data blackouts and the impact on HMRC’s reporting
Whether it is due to ransomware attacks or cloning, any incident that affects the ability of the umbrellas to pay their contractors can also cause problems for these companies when it comes to meeting their legal obligations to report their payroll activities to HM Revenue & Customs (HMRC).
This reporting is done through the PAYE Online service, which is an online portal that employers are expected to use to send payroll information to HMRC. Failing to report this data can result in companies incurring financial penalties, with the size of these depending on the number of employees on their payroll.
Following the attack on Parasol in January 2022, for example, the company issued a series of email updates that said it was unable to run its normal payroll processes, but had introduced contingency measures that meant it could pay contractors amounts that were “broadly in line” with what they were usually paid.
“Please don’t worry if your payment is higher or lower than you were expecting,” the company said in an email dated 20 January. “Once our systems are fully operational and we are able to run a normal payroll, we will make an adjustment for any difference in pay advanced to that which would have been paid normally, in a future payroll.”
A Parasol contractor, who spoke to Computer Weekly on condition of anonymity, said that with the firm seemingly having to rely on guesswork and assumptions to work out what its contractors should be paid during this period, there are likely to be gaps in the payroll data it reports to HMRC.
Parasol is known to employ at least 13,000 freelance workers, and with many of them paid weekly, the contractor claimed the firm will have a huge backlog of payroll data to share with HMRC in the wake of the attack on its systems.
“I don’t see how they will fix this without manually going through the tens of thousands of records for all those missed weeks,” said the contractor.
Computer Weekly contacted Parasol for clarification on how it has set about meeting its HMRC reporting obligations after the attacks, but at the time of writing, no response had been forthcoming.
Meanwhile, when asked by Computer Weekly what the possible repercussions might be for umbrella companies that fail to meet their reporting obligations, HMRC said it is unable to comment on “identifiable taxpayers” but said it does “take an understanding approach whenever taxpayers find themselves unable to meet their obligations due to unforeseen or exceptional circumstances”.
An HMRC spokesperson added: “We would encourage taxpayers who find themselves in these situations to contact us direct.”
Crawford Temple, CEO of Professional Passport, a company that provides compliance assessment services to umbrella companies, said any contractors concerned with how their earnings are being reported in the wake of the attacks should open up a personal tax account with HMRC.
“If they register for a personal tax account, basically what that does is show them what data HMRC is holding on them for their earnings during that period of the tax year,” he said. “We recommend this anyway for umbrella workers because it helps them spot if a company is doing something in the background that maybe it shouldn’t.”
Expanding on this point, Temple cited examples whereby non-compliant umbrella companies might engage in behaviours that leave contractors out of pocket, by making unnecessary deductions from their pay, for example.
“There are non-compliant umbrella companies that will send a payslip that is perfectly legitimate to a contractor, but then the HMRC data bears no relationship to what is on the payslip,” he said.
“By creating a personal tax account, they can see what is being reported on their income, and make sure that tallies and matches the payslips they have received. It’s a backstop check for anyone.”
Renewed calls for regulation
While there are workarounds to minimise the disruption and distress these attacks have on the companies involved and their employees, the incidents have prompted another round of calls for umbrella companies to be statutorily regulated.
The aftermath of the Giant Group cyber attack in September 2021 saw contracting stakeholders call on the government to expedite the process of introducing statutory regulation for umbrella firms after years of slow progress on this point.
Back in 2017, the government advised to introduce statutory regulation for umbrella companies by the former interim director of labour market enforcement, Matthew Taylor, and it has come under repeated criticism since then for failing to follow through with this recommendation in a timely fashion.
In December 2021, HMRC, in collaboration with HM Treasury and the Department for Business, Energy and Industrial Strategy (BEIS), announced the launch of a consultation into how the umbrella market works. This move was viewed as a sign that the government was making some moves towards regulating umbrellas firms.
This consultation runs until February 2022, meaning regulation will remain some way off for a while yet, but umbrella industry watchers are of the view – with the market coming under increased attack from cyber criminals – that more progress is urgently needed to protect contractors.
“The umbrella companies industry’s job is to process people’s earnings, so a cyber attack on these companies has a direct impact on the umbrella company workers,” said Rebecca Seeley Harris, chair of the Employment Status Forum and co-author of a policy paper on umbrella regulation. “It is therefore unbelievable that the industry is still unregulated with so much at stake.
“Although regulation will not stop a cyber attack, it would make sense that there are certain measures taken to safeguard the earnings and also ensuring that these companies have active information security management systems, possibly even ISO 27001.”
Seeley Harris added: “Continuity of business is vital, especially the communications to the workers, so these are all areas that future regulation should focus on. Hopefully, the [HMRC consultation] Call for Evidence will be well responded to and the government can prioritise regulating the industry and protecting the worker.”
Regulation urgently needed
The Loan Charge Action Group (LCAG), which is concerned with campaigning against the government’s ongoing disguised remuneration loan charge policy, is also of the view that regulation is urgently needed to protect contractors working through umbrella companies.
“It is hugely worrying for all those freelance workers who work through umbrella companies that several have suffered cyber attacks, which has led to delays in payment and fears of data breaches,” said LCAG spokesperson Steve Packham.
“This is another example of the challenges of being a contractor, as well as another reason why we need regulation of the umbrella company sector. All contractors and freelancers need to have confidence that any payroll provider will pay them the correct rate, on time, while behaving ethically and with full transparency and paying the correct taxes due.”
Packham added: “It is time the government stopped ignoring this huge issue and made clear how contractors should operate, so avoid all these kinds of unnecessary problems and another loan charge scandal, which happened due to bad legislation and a clear prejudice in Whitehall against freelance workers.”
The All-Party Parliamentary Loan Charge and Taxpayer Fairness Group (APPG) echoed these calls for regulation in a letter addressed to FCSA CEO Chris Bryce, dated 24 January 2022, in which it referenced the reports of FCSA-accredited companies being the target of cyber attacks.
“Considering that many UK workers are reliant on their livelihoods by being paid by umbrella companies, which hold confidential data, including bank account details and other sensitive details, this is hugely worrying,” said the letter, signed by all three co-chairs of the APPG.
“Considering this and the huge sums involved overall, this is surely another reasons why regulation of the market – something that the FCSA has told us it supports – happens as soon as possible.”
Strict codes of compliance
At the time of writing, it was unclear whether the FCSA had received or responded to the APPG’s letter, but in a separate statement to Computer Weekly, Bryce said the association’s members “must abide by our strict codes of compliance, which specifies they must follow the highest level of professional and ethical standards”.
He added that the FCSA “continues to liaise with stakeholders and our members to ensure the industry can best protect itself from future cyber attacks, which includes supporting members and referring them to third-party expert advice”.
When it comes to the need for regulation, Professional Passport’s Temple has a different take, and said the recent spate of cyber attacks in the sector highlights a need for better enforcement of the existing rules under which umbrella companies operate.
“Whether an umbrella company is regulated or not, data protection and things like that have standards around them that would apply to an umbrella company in the same way they would apply to any other organisation,” he told Computer Weekly.
“To be honest with you, regulation is a bit of a red herring. If you look at most of the non-compliance that goes on in the sector – disguised remuneration, tax avoidance, all of that – it’s already breaking existing rules. You don’t need regulation – you need enforcement.”