Most payroll leaks are invisible. No one steals from the register. There is no dramatic fraud case. Time just quietly gets paid for work that never happened.

Buddy punching is one of the most common versions of this. It sounds harmless, almost friendly. A coworker clocks you in because you are running ten minutes late. But at scale, across a team or a year, those ten minutes turn into a number most finance leaders would not sign off on if they saw it on a line item.

By one widely cited estimate from the American Payroll Association, buddy punching costs US businesses around $373 million a year. Broader time theft, of which buddy punching is one part, is estimated to cost US businesses somewhere between $450 and $550 billion annually.

This piece explains what buddy punching actually is, why traditional time clocks keep missing it, and how to prevent it without turning your workplace into a surveillance operation. That last part matters more than most vendors admit.


What is buddy punching?

Buddy punching is when one employee clocks in or out on behalf of another who is not there. The "buddy" punches the clock, enters the PIN, swipes the badge, or logs the hours, and the absent employee gets paid for time they did not work.

It shows up in a few common forms:

  • A coworker clocks in a friend who is late or absent.
  • An employee logs hours for a shift they left early.
  • On remote teams, someone logs time on a project while doing something else entirely, or leaves a tracker running with no real work happening.

The last form is the modern, desk-based version of the same problem. The mechanism is different, but the result is identical: paid time that does not match real work.

It is worth being clear about intent. Most buddy punching is not organized fraud. It usually starts as a small favor between coworkers. That is exactly why it spreads: it does not feel like theft to the people doing it.


How common is it, and what does it cost?

The numbers are larger than most managers expect. (All figures below are compiled from industry sources; verify primary sources before citing.)

  • Around 19% of employees admit to buddy punching for a coworker.
  • Roughly 75% of businesses lose money to buddy punching and other time theft.
  • Time theft costs an estimated 2% to 8% of gross payroll, depending on the industry.
  • 46% of small and mid-sized businesses say they caught at least one instance of time theft or a falsified timesheet in the past 12 months.
  • Buddy punching alone is estimated at around $373 million a year in the US (American Payroll Association).

The pattern behind those numbers is the important part. Buddy punching is rarely a few bad actors. It is a small amount of leakage spread across many otherwise good employees. That is what makes it expensive, and that is what makes "catch the culprit" the wrong strategy.


Why traditional time clocks miss it

A standard time clock answers one question: did a credential get entered at this time? It does not answer the question that actually matters: did this person do this work?

PINs get shared. Badges get handed over. Passwords get passed around. Any system that trusts a credential instead of verifying real activity is easy to work around, and employees figure that out quickly.

Biometric clocks (fingerprint or facial recognition) close the physical version of this gap well, and for shift and hourly workforces they are highly effective. But they only work where people physically clock in at a device. They do nothing for remote and hybrid knowledge teams, where the question is not "is this the right finger" but "were these logged hours actually spent working."

For most modern teams, the honest answer is that presence is not the same as contribution. Verifying the first without the second is how buddy punching survives.


How to prevent buddy punching (without destroying trust)

The instinct is to reach for harder enforcement. Sometimes that helps. But the most durable fix is a system, not a single lock. Here is the order that actually works.

1. Set a clear, written policy first

Most employees do not know buddy punching is technically time fraud, or that it can be grounds for termination. A short, explicit policy removes the "it is just a favor" excuse and makes expectations fair. Enforcement without a clear policy feels like a trap. Enforcement with one feels reasonable.

2. Verify activity, not just credentials

The real upgrade is moving from "a credential was entered" to "real work happened during this time." For desk and remote teams, that means tying logged hours to actual application and work activity, so a running timer with no work behind it is visible. This is the modern equivalent of the biometric clock: it verifies the work, not the badge.

3. Make the data visible to the employee first

This is the step most tools skip, and it is the one that changes behavior without eroding trust. When employees can see their own tracked time and activity before any manager reviews it, two things happen. Logging accuracy improves on its own, and the whole system reads as fairness rather than surveillance. People correct their own records when they own them.

4. Run regular timekeeping audits

Companies that run annual timekeeping audits report meaningfully fewer compliance problems. A light, predictable audit rhythm catches patterns early and signals that hours are actually reviewed, which is often enough to end casual buddy punching on its own.

5. Prefer transparency over covert monitoring

Covert surveillance catches a few people and quietly damages everyone else's trust. Transparent verification, where the team knows what is tracked and why, catches the same problems and keeps engagement intact. In 2026, with employee monitoring under more scrutiny than ever, the transparent path is also the safer one legally and culturally.


The Worktivity approach

Worktivity is not a fingerprint clock for a factory floor. It is built for remote and hybrid teams, where buddy punching looks less like a badge swap and more like logged hours that do not match real work.

The approach is deliberately transparency-first:

  • Automatic time tracking ties logged time to actual application and website activity, so hours reflect real work rather than a timer left running.
  • Privacy-first, blurred screenshots provide verification without exposing the content of someone's screen.
  • Employees see their own activity and time data first, which turns the whole thing into visibility rather than surveillance and drives self-correction.
  • Productivity analytics surface patterns (idle time, mismatches) at the team level, so managers act on patterns instead of policing individuals.

The philosophy underneath it is simple: the goal is not to catch people, it is to make honest time the default. When employees can see and own their own data, buddy punching stops being worth the effort long before anyone has to enforce a policy.


FAQ

Is buddy punching illegal? Buddy punching is a form of time theft and payroll fraud. It can be grounds for termination and, depending on the amount and jurisdiction, can carry legal consequences. Most organizations treat it as a serious policy violation.

How common is buddy punching? Around 19% of employees admit to punching in for a coworker, and roughly 75% of businesses report losing money to buddy punching and other forms of time theft.

How much does buddy punching cost employers? Buddy punching is estimated to cost US businesses around $373 million a year (American Payroll Association). Broader time theft is estimated at 2% to 8% of gross payroll for affected companies.

How do you catch or prove buddy punching? The reliable way is to verify real activity, not just a clock-in. Tying logged time to actual work activity, and running regular timekeeping audits, makes mismatches visible without singling people out.

What is the best way to prevent buddy punching? A clear written policy, activity-based verification instead of credential-only clocks, employee-facing visibility into their own data, and regular audits. For physical shift work, biometric clocks are highly effective. For remote and hybrid teams, transparent activity verification is the modern equivalent.

Does preventing buddy punching mean surveilling employees? It does not have to. Transparent, privacy-first verification (where employees see their own data first and know what is tracked) prevents time theft while protecting trust. Covert surveillance tends to cost more in engagement than it saves in payroll.

Explore Worktivity Features

Discover how Worktivity can help your team increase productivity with our comprehensive features

Free Trial

Start Your 14 Day Trial

No credit card required

Get Started Free