Don’t Fall Victim to Payroll Phishing Scams

Don’t Fall Victim to Payroll Phishing Scams

Email scammers are defrauding companies by targeting Human Resources. As a business services provider, you can help your clients protect their companies.

Let’s talk about HR and payroll scams.

The FBI calls this type of fraud business email compromise (BEC) or business email spoofing (BES). As a matter of fact, businesses lose over $12.5 billion to fraud every year. Furthermore, the FBI says payroll email phishing is increasing.

How Do HR Scams Work?

Unfortunately, these schemes are easy to carry out. The fraudster creates an email account under someone else’s name. They can find a treasure trove of information on LinkedIn. It’s not hard to register an email with a name nearly identical to an employee at the targeted company.

Indeed, they don’t need to penetrate security are hack into an email account. To make things worse, it’s also easy for hackers to automate the creation of thousands of accounts in a few minutes.

Types of Payroll Phishing Emails

The most common phishing emails aim to:

  • Get direct deposit information so they can re-route paychecks to scammer-controlled bank account.
  • Obtain W-2s so the scammer can file tax returns and receive tax refunds under victims’ names.
  • Initiate a wire transfer which is routed into a scammer-controlled bank account.

The FBI says the emails rarely have the incorrect spelling or grammar common to ‘Nigerian prince’ type scams.

Here is an example email from a fraudster posing as a staff member:

To: Brittney Williams

Subject: Direct Deposit Update Request


Can you update my direct deposit? I just changed bank accounts. I would appreciate it before next payroll.


Instruct employees to be aware that some emails purport to come from the CEO or CFO. They are directed to HR personnel or accountants who initiate wire transfers.

Protect Your Employees

Help your clients understand the importance of fraud prevention including the following:

  1. Teach employees to look closely at email addresses and compare with correct ones.
  2. Instruct employee to never answer an email on their mobile phone when they can only see the sender’s name without the email address.
  3. Use a system with an employee self-serve (ESS) portal so staff members can manage their own direct deposit information.
  4. Don’t publish names of HR personnel online.
  5. Update email spam filters to flag these types of emails.


How do I Report a Scam Email?



This information is provided with the understanding that Payroll Partners is not rendering legal, human resources, or other professional advice or service. Professional advice on specific issues should be sought from a lawyer, HR consultant or other professional.