Watch Out for New Payroll Scam: Direct Deposit Diversion

June 5, 2019|

By now, employers are very familiar with the W-2 phishing scheme, where scammers spoof a company executive’s email and request all W-2 information for a company. Companies large and small have fallen for this crooked tactic, effectively handing over employee names, addresses, and Social Security numbers that the thief can then sell or use to open fraudulent accounts.

Late last year, employers started seeing a new twist on this scam. The deceptive emails now appear to come from an employee with a request to change their bank account number for direct deposit. When the company believes the email is legitimate, the new bank account information is updated in the payroll system. When payday arrives, the employee does not get paid, and the criminal now has access to the funds which he quickly withdraws from the account.

The steps to follow to avoid becoming victim to this scam are similar to those recommended for thwarting the W-2 phishing scheme:

  1. Inspect the email address from which the request arrives. Many times, amateur thieves are not very good at spoofing an email address, and you can quickly spot the email as phony.
  2. Incorrect grammar within the email and very short, urgent demands without standard email language protocols can also be red flags.
  3. Always phone verify any requests for direct deposit changes that come in via email. Use your company directory to contact the employee and never any phone numbers within the email itself.
  4. If you find yourself with an unhappy employee, and a happy thief, on payday, contact your bank immediately and work with them to try to recover the funds. Report the incident to authorities and correct the bank account number in the payroll system and issue the employee their pay as soon as possible.

It is important to note that there is another method that is being used to divert funds. The bad guys are uncovering login credentials for payroll administrators or employees and updating direct deposit information themselves. This can happen via malicious links an employee clicks or through lax password security behavior. Adopting two-factor authentication for access to the payroll system and employee self-serve, and conducting regular employee data security training can reduce this risk.


Thank you for visiting our HR News. Please note that we do our best to fully research the topics you see here and present accurate and up-to-date information. We believe the information to be accurate but make no claims as such. We also want to share with you that we do not provide professional accounting, financial, legal or tax advice and we recommend contacting a licensed accounting, financial, legal or tax advisor for business advice. For any comments related to the HR News, please email us at