Payroll Industry Fraud: What You Can Do to Prevent It

By John Israel, Principal, PROXUS

It seems innocent enough. An employee emails the HR Manager within her company and informs them that she would like to change her direct deposit account. Included within the email is a voided check, complete with the employee’s full name and home address. The HR Manager responds by emailing the employee the company’s Direct Deposit Form, which the employee completes and returns, and the paycheck is now directed to a new account.

Except that the employee isn’t actually an employee but rather a cybercriminal, who is now receiving the employee’s pay directly into an account that they control. The employee most likely won’t notice the change until she notices that her bank account shows no direct deposit on the pay date. By that time, the damage has already been done, and the money is gone.

Sound implausible? It’s not.

Payroll-related scams are on the rise. In 2017, the FBI and the Internet Crime Complaint Center identified 17 payroll-related scam cases. By July of 2018, that number had increased to 47, with losses totaling $1 million.

In particular, the payroll industry has seen an increase in the following:

Payroll Diversion Scams

Cybercriminals typically target employees through a phishing email that appears to be coming from someone within the organization or from someone they know (a vendor). These emails often contain links, downloads or surveys that, once activated, enable the cybercriminal to track keystrokes and obtain an employee’s login credentials or other Personally Identifiable Information (PII).  Once obtained, the cybercriminal uses those credentials in an attempt to access the employee’s payroll account and reroute their direct deposits into a new account.

Recently, however, cybercriminals have been developing more elaborate and targeted schemes. They may make an indistinguishable change to an email address, such as changing an “i” to an “l” or “m” to an “rn,” and then send the payroll person an email containing a modified but authentic looking voided check asking for a bank change or to change a bank account to a paycard. Similarly, cybercriminals are calling employee hot lines ready with Employee IDs and the last four digits of social security numbers, in an attempt to change a login password.

The W-2 Scheme

A cybercriminal will pose as the CEO or other top executive and request via email to the HR or Payroll professional a copy of the employees’ W-2 files via PDF format.   Unaware this email is from a fraudulent person, the HR or Payroll professional fulfills the request and employee PII ends up in the wrong hands.  This information is then used to file fake tax returns to generate fraudulent tax refunds.

What You Can Do

While being aware that fraud exists is an important first line of defense, it simply is not enough. To prevent instances such as the above from occurring to your business and employees, follow these critical steps now and communicate them with your employees:

  1. Instruct employees to refrain from supplying log-in credentials or Personally Identifiable Information, including social security numbers, bank accounts, passwords, security answers, etc. in response to any personal or business email or phone call without verifying who they are communicating with.
  2. Instruct employees to hover their cursor over hyperlinks included in emails they receive to view the actual URL. Ensure the URL is actually related to or associated with the company it purports to be from.  If unsure, the employee should CALL the sender to ensure it is a legitimate request.  Do not verify through email.
  3. Apply heightened scrutiny to requests made via email by employees seeking to update or change direct deposit credentials. Verify all changes by a phone call to the sender – do not verify via email.
  4. Monitor employee logins that occur outside normal business hours.
  5. Restrict access to the Internet on systems handling sensitive information or make sure your payroll/HCM provider uses Two-Factor Authentication for access to sensitive systems and information.
  6. Instruct employees not to open any suspicious email or respond to instruction to download files they are not expecting before verifying with the sender via phone call.

What to Do if Fraud Occurs

The FBI encourages victims to report suspicious or criminal activity to their local FBI office, and file a complaint with the Internet Crime Complaint Center at


Tags: PROXUS, Payroll, Human Resources