Sting9 Logo
Sting9
Learn/Professionals Course/Chapter 5
Chapter 5 of 12
10 min

Payroll Diversion Scams

Learning Objectives:

    Payroll Diversion Scams

    Payroll diversion attacks target HR and payroll departments with fraudulent requests to change employee direct deposit information. With an 815% increase in attempts, these attacks redirect employee paychecks to criminal accounts before detection.

    The Scale of the Problem

    2024 Statistics:

    • 815% increase in payroll diversion attempts
    • Proofpoint blocked 35,000 scam attempts in 2024
    • $15M+ stolen through successful diversions
    • HR/Payroll departments primary targets
    • Average detection time: 2-3 pay periods
    • Employee impersonation via compromised or spoofed email

    How Payroll Diversion Works

    Typical attack:

    1. Scammer researches company employees (LinkedIn, company website)
    2. Sends email to HR/payroll impersonating employee
    3. Requests direct deposit change with new bank routing/account
    4. May include forged authorization documents
    5. HR updates payroll system
    6. Next paycheck(s) go to scammer's account
    7. Employee discovers when paycheck doesn't arrive
    8. By then, scammer has withdrawn funds

    Why it works:

    • HR processes many legitimate change requests
    • Requests seem routine, not suspicious
    • Employees may change banks legitimately
    • Scammers spoof employee email addresses
    • HR wants to be helpful to employees

    Red Flags

    šŸš© Request via personal email instead of company email šŸš© Urgent requests "need it by this Friday's payroll" šŸš© New employee requesting change immediately after hire šŸš© Email tone doesn't match employee's typical style šŸš© Unusual timing (right before holidays, large bonus periods) šŸš© Requests to keep change confidential šŸš© Bank account in different state or country than employee

    Verification Procedures

    Mandatory for ALL payroll changes:

    1. In-person verification:

      • Employee must appear in person with photo ID
      • Or video call for remote employees (verify face matches ID)
      • Phone call verification minimum (known number)

    2. Separate channel confirmation:

      • Don't reply to email request
      • Call employee's known phone number
      • Use internal company chat/system
      • Verify through manager if employee unavailable

    3. Documentation requirements:

      • Voided check from new account
      • Bank letter confirming account ownership
      • Signed authorization form (in person or notarized)
      • Copy of photo ID

    4. Waiting period:

      • Implement 1-2 pay period delay for changes
      • First payment to new account partial amount only
      • Confirm receipt before full amount

    5. Notification system:

      • Email/text confirmation to employee's known contact
      • Notify employee when change processed
      • Alert if change request rejected

    Protection Strategies

    HR/Payroll procedures:

    • Never accept email-only requests
    • Require in-person or video verification
    • Implement waiting periods
    • Use secure portals for submissions
    • Train staff on social engineering

    Technical controls:

    • Email authentication warnings
    • Secure employee self-service portals
    • MFA for payroll system access
    • Audit logs of all changes
    • Alerts for changes before payroll run

    Employee education:

    • How to properly request changes
    • Report suspicious change notifications
    • Verify paychecks arrive on time
    • Monitor bank accounts regularly

    Test transactions:

    • Send $1-10 test payment first
    • Confirm employee received it
    • Then process full paycheck

    Response to Suspected Fraud

    If fraudulent request detected:

    1. Don't process the change
    2. Contact employee immediately via known number
    3. Document the attempt
    4. Report to IT/security team
    5. Warn other HR staff
    6. File report with FBI IC3

    If fraudulent payment made:

    1. Contact bank immediately (within 24 hours critical)
    2. Request ACH reversal if possible
    3. Contact employee to explain situation
    4. Issue emergency payment to correct account
    5. File police report
    6. Report to FBI IC3
    7. Review and strengthen procedures

    Key Takeaways

    • āœ… 815% increase in payroll diversion attempts
    • āœ… In-person or video verification required for all changes
    • āœ… Never accept email-only direct deposit requests
    • āœ… Waiting periods allow detection before payment
    • āœ… Test payments verify account before full amount
    • āœ… Employee education helps detect unauthorized changes
    • āœ… Report immediately if fraud suspected or confirmed
    Previous Chapter
    Vendor Email Compromise (VEC)
    Next Chapter
    Microsoft 365 / Google Workspace Attacks
    Back to Course Hub