Payroll Diversion Scams: How to Protect Your Paycheck
Payroll diversion scams occur when fraudsters gain unauthorized access to a company's payroll system or employee banking information to redirect wages before they reach legitimate employee accounts. The scammer typically impersonates an employee, HR personnel, or a trusted vendor, requesting changes to direct deposit information or wire transfer details. According to the FBI's Internet Crime Complaint Center, payroll fraud losses exceed $2 billion annually in the United States, with individual incidents averaging $5,000 to $10,000 per affected employee. These scams operate with remarkable speed—victims often lose access to their paychecks within 24 to 48 hours of the initial compromise, making rapid detection critical. The scheme is particularly dangerous because it directly targets the funds employees depend on for immediate living expenses, and recovery can take weeks or months even after discovery.
Common Tactics
- • Scammers send official-looking emails impersonating HR or payroll departments requesting immediate direct deposit updates due to claimed system issues, bank changes, or payroll processor migrations.
- • Attackers use phishing campaigns to steal login credentials for payroll portals, then log in directly during off-hours to change banking details without detection.
- • Fraudsters conduct business email compromise (BEC) attacks, compromising actual company email accounts to send seemingly authentic payroll change requests with proper branding and tone.
- • Scammers request changes through phone calls impersonating IT support or payroll staff, citing security updates or account verification procedures to pressure quick action.
- • Attackers create fake payroll processor websites mimicking legitimate platforms, directing employees to log in and 'verify' their information, capturing credentials for system access.
- • Scammers use data breaches to obtain employee lists and banking information, then coordinate mass payroll changes across multiple employees simultaneously to overwhelm detection systems.
How to Identify
- You receive an unexpected email or call requesting your direct deposit information or asking you to update banking details immediately due to an urgent situation.
- The communication creates unusual urgency or claims a deadline (same-day processing, system shutdown, security alert) pressuring you to act without verification.
- Your paycheck doesn't arrive on the expected date, and you haven't received advance notice from your employer about any banking changes or delays.
- HR or payroll communications contain subtle quality issues like grammar mistakes, slightly different email addresses (@companyname.co instead of @companyname.com), or unusual formatting.
- You notice your direct deposit information has changed in your employee portal or banking app, but you never submitted a request for modification.
- Multiple colleagues mention missing paychecks or unexpected deposit location changes in a compressed timeframe, suggesting a coordinated attack rather than isolated error.
How to Protect Yourself
- Never click links or download attachments from unsolicited payroll-related emails. Instead, go directly to your company's official payroll portal using a bookmarked URL or contact HR through verified phone numbers.
- Enable multi-factor authentication (MFA) on all payroll systems, banking portals, and email accounts, requiring additional verification beyond passwords for account access.
- Set up banking alerts for direct deposit changes or transfers. Most banks allow notifications when account information is modified, providing early warning of compromise.
- Verify any direct deposit change requests directly with your HR department using established phone numbers from your employee handbook—never use contact information from the email requesting changes.
- Monitor your bank account regularly (weekly or bi-weekly) and immediately report discrepancies to your bank and employer within 24 hours if you spot unauthorized changes.
- Ask your employer about their payroll security protocols, including whether they use vendor verification procedures, implement payroll change approval workflows, and require employee identity verification for modifications.
Real-World Examples
A marketing employee received an email appearing to come from the company's payroll processor (with nearly identical branding) stating the company switched banks and direct deposit information needed immediate update. The employee clicked the provided link, entered credentials, and later discovered those credentials were used to change her direct deposit to a fraudulent account. Her employer didn't process payroll to the legitimate account that week, and she missed her mortgage payment. The fraud was discovered when she called payroll on payday wondering why she hadn't received her $3,200 bi-weekly paycheck.
An IT contractor at a financial services firm received a phone call from someone claiming to be from the company's IT security team, explaining they needed to verify banking information due to a security audit. The caller used company terminology and referenced real security procedures, building trust. After the contractor provided new 'temporary' banking details for security verification purposes, funds from his next paycheck ($4,800) were diverted. The scammer had actually compromised an employee's email account and was gathering banking data for multiple targeted employees.
A 28-person company experienced a coordinated payroll diversion attack affecting all employees simultaneously. Attackers used credentials stolen in an earlier data breach to access the payroll portal and changed every employee's direct deposit information at midnight on payday. The fraud wasn't discovered until multiple employees contacted HR on payday afternoon. Collectively, approximately $142,000 was diverted across all employees. Recovery took 6 weeks, and the company had to provide emergency paycheck advances to affected staff.