Prevent fraud on your Gusto account

Fraud can occur in many different ways—account takeovers, W-2 phishing, business email compromise schemes, and more.

Heads up: Industry trends show that fraudulent sign-in pages are on the rise—verify email senders, links, and websites before accessing them.

Click the dropdowns below to learn more.

How Gusto handles account takeovers

An account takeover (ATO) is a type of identity theft where a thief uses parts of a victim’s identity, such as an email address, to gain access to the victim’s Gusto account. Once the thief has access to a Gusto account, they can potentially commit financial crime.

As part of our robust security measures, we will send you a "suspicious sign in" email if we detect any unusual sign in activity so that you can verify your account is safe.

Protect yourself from an account takeover

To protect yourself, we recommend creating a new, strong password for your Gusto account every 3 months and enabling two-step verification.

Think you may be a victim of an account takeover?

Email [email protected] immediately so our Assurance team can assist you.

More info on W-2 phishing

The IRS anticipates an increase in W-2 phishing emails during tax season. Be on alert for any suspicious emails requesting W-2 information.

Here is a description of the scam from the IRS: “Cybercriminals use various spoofing techniques to disguise an email to make it appear as if it is from an organization executive. The email is sent to an employee in the payroll or human resources departments, requesting a list of all employees and their Forms W-2. This scam is sometimes referred to as business email compromise (BEC) or business email spoofing (BES).”

Gusto will never email you requesting W-2 information.

You can report phishing attempts to the IRS at [email protected]. Use “W2 Scam” in the subject line.

Business email compromise schemes

At Gusto we're always working to keep your company safe from any type of security threat. One kind of security threat known as a business email compromise has become an increasingly popular type of fraud in the payments industry.

What is a business email compromise scheme?

A business email compromise (BEC) is a fraud scheme in which a fraudster gains access to a business or personal email account and impersonates the owner of the email account in order to steal money from the company or related individuals.

How can you prevent BEC from affecting your business?

There are several steps you can take in order to protect yourself and other employees from a business email compromise. Below are security measures that anyone can take in order to protect themselves from a BEC:

Never update employee information when it is requested via email.
- If employee’s want to update their banking information they can log into their Gusto account and do it on their own.
If you feel that an email from an employee looks suspicious, talk with them over the phone or in person to confirm that they sent this email.
- You can also hover over the email address and see if it is coming from the employee’s real email address or a similar, yet fraudulent address.
Change your email password often.
- This can prevent someone from getting into your email with a password that you often use.
Enable two factor authentication on both your email account as well as your Gusto account.
- This can prevent someone from accessing your information when they have your password.
Do not open any emails that look suspicious or come from someone you do not recognize.
- Often times fraudsters will send phishing emails in order to gain access to your account.
If you receive an email that seems suspicious with Gusto related information you can reach out to our assurance team at [email protected].

How could this affect your Gusto account?

We make sure that your Gusto account is as secure as possible, but there are ways that fraudsters can target your company outside of your Gusto account. Below are different ways you could see a business email compromise affect your company:

An employee’s email can be compromised through phishing emails.
- The fraudsters then impersonate the employee and requests that the admin of the account changes their bank account to a fraudulent one. The admin does not realize it is a fraudster making the request and the employee’s paycheck is sent to a fraudulent account.
An employee’s email address is spoofed by a fraudster.
- This is when they create an email address very similar to the employee’s email, but change one or two characters.
- The fraudster then emails an account admin requesting a bank account change to a fraudulent account. The admin does not realize this is a different email than the employee’s real email address and they make the change. The paycheck meant for the employee then gets sent to a fraudulent bank account.
An employee’s email account is either taken over or spoofed by a fraudster.
- The fraudster then sends emails to admins requesting personal information. The admin does not realize they are emailing a fraudster and they provide sensitive information via email.
An Admin’s account is taken over by a fraudster through phishing or social engineering.
- The fraudster requests that a wire transfer be made from the company account to a fraudulent bank account. The person complying with the request believes they are emailing with the admin, but they do not realize they are complying with a fraudulent request.

What should you do if you suspect that you are being targeted in a BEC scam?

If anyone in your company believes that they are being targeted in a BEC scam, there are multiple steps you can take in order to make sure your information is safe.

Mark any suspicious emails as spam in your inbox.
Change your password for your email account as well as your Gusto account immediately.
Enable two-factor authentication on both your email and Gusto account.
Make sure the admins of your Gusto account are aware of the situation.

Reach out to [email protected] for further assistance.

Verify email senders, links, and websites

Only ever use one of the two methods below to sign in to Gusto:

Head to app.gusto.com/login or;
Use the Gusto Wallet mobile app.

Gusto-secured resources

Email communications come from: @gusto.com.
Website URLs end with: .gusto.com/

Verify if an email is from Gusto—it'll end in "@gusto.com"

Click the sender name to see the full email address
- If you're using a mobile device, wait until you're at a desktop computer to further inspect.
You can use the Gusto Wallet app directly to avoid sign-in phishing.

Verify if a website URL is Gusto-secured—it'll end in ".gusto.com/"

What to look out for:

Gusto-secured websites will show a lock icon next to the URL, indicating it's secure.
- Avoid "Not Secure" sites.
Gusto-secured websites do not have any other suffix other than ".gusto.com/".
- Example of a non-Gusto site: ".net" or ".co.uk"
Make sure there aren't lookalike or additional characters in the URL.
- Examples of a non-Gusto site: "gust0.com" or "gus-to.com".
".gusto.com" should always be at the end of the URL
- Example of a non-Gusto site: "gusto.com.runpayroll"