Payroll Diversion: The Latest in Cybercrimes

Payroll Diversion | Cybercrime | Ohio CPA Firm
Your employee’s payroll accounts are being targeted by cybercriminals. Learn how to stop them.

The FBI has warned that cybercriminals are zeroing in on your employee’s payroll accounts with a new “payroll diversion” scam. As of now, the largest industry targets appear to be education, healthcare and commercial airway transportation.

How Does It Work?

Phishing emails designed to capture employee login credentials are created by scammers and sent to employees to lure them in. Scammers make emails look legitimate and appear to be from an address similar to a legitimate company. Once the cybercriminal has an employee’s credentials, they will use the credentials to access the employee’s payroll account and change their bank account information.

Sometimes this phishing email may request that an employee answer a brief survey and hit “confirm.” The employee will then be directed to enter their credentials in an online form to confirm their identity. In other instances, hackers access employee e-mails to request a password change from the employer’s payroll service and use the new log-in credentials.

Once the fraudster has the login information, he or she changes the employee’s direct deposit instructions, which prevents the employee from receiving alerts regarding any direct deposit changes. The direct deposits are then rerouted to an account controlled by the cybercriminal. Oftentimes, the accounts go to a prepaid card.

Listen to episode 123, “Protect Your Organization From Mistakes, Fraud and More With Internal Controls,” on unsuitable on Rea Radio.


What Can You Do To Avoid It?

It is imperative that employers take action against this scam. The FBI suggests the following mitigations for scams such as this one:

  • Play it safe with passwords. Ensure that payroll login credentials are different from all other employee logins. Also, have smart password rules in place.
  • Review your controls. Review and update the physical, technical and personnel-related measures taken to protect employees’ sensitive information and data.
  • Heighten security. This especially applies to bank information initiated by employees seeking to update or change direct deposit credentials.
  • Keep watch. Monitor employee logins that occur outside normal business hours.
  • Restrict access.
    • Limit employee access to the Internet on systems handling important information or implement two-factor authentication for access to sensitive systems and information.
    • Only allow required processes to run on systems handling sensitive information.
  • Educate your employees.
    • Put preventative strategies in place and be ready with appropriate reactive measures if a breach occurs.
    • Suggest employees take the time to verify that their paycheck hits their bank account.
    • Instruct employees to hover their cursor over hyperlinks included in emails in order to view the actual URL. They should ensure the URL is actually related to or associated with the correct company listed in the email.
    • Advise employees to refrain from supplying login credentials or personally identifying information in response to any email.
    • Direct employees to forward suspicious requests for personal information to the IT or HR department.

Report It

Victims should report scams and criminal activity to their local FBI field office, and file a complaint with the Internet Crime Complaint Center at If your complaint pertains to this particular scheme, note “payroll diversion” in the body of the complaint.

By Dee Gray (New Philadelphia)

 Looking for more ways to protect your company and employee data from cybercrime? Check out these resources:

Passwords: Turns Out We’ve Been Doing It Wrong This Whole Time

With Tax Season Comes Tax Scams

Summer Is Still Scam Season