Payroll diversion scams

Payroll diversion attacks target HR and payroll departments with fraudulent requests to change employee direct deposit information. With an 815% increase in attempts, these attacks redirect employee paychecks to criminal accounts before detection.

The Scale of the Problem

2024 Statistics:

815% increase in payroll diversion attempts
Proofpoint blocked 35,000 scam attempts in 2024
$15M+ stolen through successful diversions
HR/Payroll departments primary targets
Average detection time: 2-3 pay periods
Employee impersonation via compromised or spoofed email

How Payroll Diversion Works

Typical attack:

Scammer researches company employees (LinkedIn, company website)
Sends email to HR/payroll impersonating employee
Requests direct deposit change with new bank routing/account
May include forged authorization documents
HR updates payroll system
Next paycheck(s) go to scammer’s account
Employee discovers when paycheck doesn’t arrive
By then, scammer has withdrawn funds

Why it works:

HR processes many legitimate change requests
Requests seem routine, not suspicious
Employees may change banks legitimately
Scammers spoof employee email addresses
HR wants to be helpful to employees

Red Flags

🚩 Request via personal email instead of company email 🚩 Urgent requests “need it by this Friday’s payroll” 🚩 New employee requesting change immediately after hire 🚩 Email tone doesn’t match employee’s typical style 🚩 Unusual timing (right before holidays, large bonus periods) 🚩 Requests to keep change confidential 🚩 Bank account in different state or country than employee

Verification Procedures

Mandatory for ALL payroll changes:

In-person verification:
- Employee must appear in person with photo ID
- Or video call for remote employees (verify face matches ID)
- Phone call verification minimum (known number)
Separate channel confirmation:
- Don’t reply to email request
- Call employee’s known phone number
- Use internal company chat/system
- Verify through manager if employee unavailable
Documentation requirements:
- Voided check from new account
- Bank letter confirming account ownership
- Signed authorization form (in person or notarized)
- Copy of photo ID
Waiting period:
- Implement 1-2 pay period delay for changes
- First payment to new account partial amount only
- Confirm receipt before full amount
Notification system:
- Email/text confirmation to employee’s known contact
- Notify employee when change processed
- Alert if change request rejected

Protection Strategies

HR/Payroll procedures:

Never accept email-only requests
Require in-person or video verification
Implement waiting periods
Use secure portals for submissions
Train staff on social engineering

Technical controls:

Email authentication warnings
Secure employee self-service portals
MFA for payroll system access
Audit logs of all changes
Alerts for changes before payroll run

Employee education:

How to properly request changes
Report suspicious change notifications
Verify paychecks arrive on time
Monitor bank accounts regularly

Test transactions:

Send $1-10 test payment first
Confirm employee received it
Then process full paycheck

Response to Suspected Fraud

If fraudulent request detected:

Don’t process the change
Contact employee immediately via known number
Document the attempt
Report to IT/security team
Warn other HR staff
File report with FBI IC3

If fraudulent payment made:

Contact bank immediately (within 24 hours critical)
Request ACH reversal if possible
Contact employee to explain situation
Issue emergency payment to correct account
File police report
Report to FBI IC3
Review and strengthen procedures

Key Takeaways

✅ 815% increase in payroll diversion attempts
✅ In-person or video verification required for all changes
✅ Never accept email-only direct deposit requests
✅ Waiting periods allow detection before payment
✅ Test payments verify account before full amount
✅ Employee education helps detect unauthorized changes
✅ Report immediately if fraud suspected or confirmed