Important: Fake emails and sign-in pages are becoming more common—before you open an email, click a link, or visit a website, check to make sure they’re real.
Fraud can happen in many ways—account takeovers, email hacking, phishing websites, and more. At Gusto, we’re always working hard to protect you from security threats. This article covers common scams and things you can do to help us keep you safe.
An account takeover is when a scammer steals login information to gain access to an account, like Gusto. Once they’re signed in, they may be able to lock users out of their account, steal money or personal information, or use the account to scam others.
For sensitive actions like changing direct deposit, Gusto now adds an extra approval step that stops most account takeover attempts — even if a scammer has your password. See "How Gusto protects you" below.
An email compromise is when a scammer steals login information to gain access to an email account. Once they’re signed in, they may email others asking for sensitive information, like a home address, social security number, bank details, and more.
A phishing or spoofed website is a fake website that’s designed to look like a real one. Scammers use these fake sites to steal personal information, like usernames, passwords, bank details, and more.
Important: Gusto will never email you requesting W-2 information.
The IRS anticipates an increase in W-2 phishing emails during tax season. Look out for any suspicious emails requesting W-2 information.
Here’s a description of the scam from the IRS: “Cybercriminals use various spoofing techniques to disguise an email to make it appear as if it is from an organization executive. The email is sent to an employee in the payroll or human resources departments, requesting a list of all employees and their Forms W-2. This scam is sometimes referred to as business email compromise (BEC) or business email spoofing (BES).”
You can report phishing attempts to the IRS at [email protected]. Use “W2 Scam” in the subject line.
At Gusto, we’re always working hard to protect you from security threats. Here are a few things you can do to help us keep you safe.
Setting up 2-step verification adds an extra layer of security to your account. Even if someone knows your password, they cannot sign in without a special code that we send to your phone or app.
We recommend changing your password every three months. When picking a password, make sure:
It’s at least 12 characters long
Uses a mix of uppercase and lowercase letters, numbers, and symbols
Doesn’t include personal info (like your name, birthday, or company name)
Isn’t a real word or simple pattern (like password123 or abcABC!@#)
It’s unique — never reused for another site
Important: Only sign in to Gusto through app.gusto.com/login or the Gusto mobile app
Our official Gusto email addresses end in “@gusto.com”. Watch out for fake email addresses, like @qusto.com, @gust0.com, or @gusto.net.
Our official Gusto website URLs end in “.gusto.com.com/” They also include a lock icon next to the URL, meaning the website is secure. Watch out for fake website URLs, like qusto.com, gust0.com, gusto.net, gusto.com.payroll, and other websites that don’t include a lock icon. Sometimes fake websites can show up in Google search results.
Never give someone sensitive information via email, even if it’s a real email address.
If you think an email is suspicious, call the address owner or talk to them in person to see if they sent it.
Never update employee information in Gusto if it’s requested via email. If employees want to update information, they can sign in to their Gusto account and do it on their own.
Sometimes Gusto sends a push notification asking you to approve a sensitive action. If you did not start that action, tap "No, this wasn't me" to block it. The change will not go through.
Gusto will then offer you the option to change your password right away. We strongly recommend doing so. Changing your password signs you out of every active session and stops anyone using your account from doing more harm.
Learn more in Approving secure changes with biometric authentication.
Our Gusto websites are secure, meaning your connection is encrypted (look for the lock icon next to the URL).
We offer 2-step verification for an added layer of security.
For eligible employees using the Gusto mobile app, Gusto uses biometric approval (Face ID, Touch ID, or Android device biometrics) to confirm high-risk actions like changing direct deposit. SMS verification is available as a backup.
We send you notifications anytime there’s an unusual sign-in or changes have been made to your account.
We’ll never ask for sensitive information, like personal details or bank accounts, via email.
If you think your Gusto account has been compromised, email [email protected] immediately so our Assurance team can help.
If you think you’ve been a victim of an internet crime, you can file a complaint with the FBI.