Use Cases

Payroll Fraud: When Direct Deposits Go Rogue

Abhishek Iyer
Posted by

Abhishek Iyer,Feb 05 2020

Payroll Fraud: When Direct Deposits Go Rogue

Ah, salary day. It feels great when you’re coasting home after a hard day at the cubicle, hitting all the green lights, basking in the knowledge that you’re getting paid today and that you’ll finally be able to order that miniature horse head online (we’re not judging). Or it should feel great, anyway, before you come home and realize that your checking account is collecting dust because a cybercriminal diverted your well-earned wages into some bank account in the Cayman Islands.

Payroll fraud is a problem.

How big of a problem is it? The FBI reported that dollar loss due to direct deposit change requests increased by 815% from 2018 to 2019, so it’s definitely more ‘hurricane in the Atlantic’ than ‘storm in a teacup’. In this blog, we’ll define payroll fraud, go through the standard attack process, and discuss why organizations continue to fall for this scam.

What is payroll fraud?

The definition of payroll fraud differs based on the person you ask. There’s deliberate worker misclassification by employers looking to skirt the law, pay rate alteration by malicious insiders, ‘ghost’ employee profiles, and more. Keeping a cybersecurity focus, we’ll be looking at payroll diversion fraud today.

Payroll diversion fraud is when the attacker sends an email to an organization’s payroll, HR, or finance department. This email is designed to look like it came from a legitimate employee, claiming that their direct deposit information has been updated. The email provides new bank account and routing numbers for an account that’s actually controlled by the attacker. Once the funds hit the account, they’re quickly disseminated to multiple other accounts controlled by the attacker, eliminating traceability and preventing fund recalls if and when the fraud is caught.


Why is payroll fraud successful?

Since we know what payroll fraud is, why do employees keep falling for it even after endless bouts of awareness training exercises? There are a few reasons for this:

1. Workflows and human nature

Payroll fraud, as with most other attacks classified under Business Email Compromise, sits at the intersection of business workflows and human nature to exploit gaps on both sides of this divide.

Let’s talk about business workflows first. In a well-intentioned search for productivity, organizations are implementing standardized processes fueled by automation to take care of anything that doesn’t merit step-by-step human involvement. As long as a human gives the go-ahead, machine-driven workflows can take care of the rest. In the case of payroll changes, once an employee on the finance/HR team enters a change in direct deposit information into some portal, the rest of the legwork is rightfully taken off their hands. These workflows are undoubtedly a good thing, but they also enable a few fraudulent payroll changes to enter the slipstream of thousands of legitimate payroll processes.

Enter stage right, human nature. As human beings, our average day is spent processing millions of things in parallel, whether it’s catching up on weekend emails, leading multi-team meetings, or picking up kids from school. Our brains are intrinsically inclined to make decisions with ‘just enough’ information whenever possible so that synapses can fire away without fatigue for the more complicated stuff.

This means we tend to perform repetitive actions - like confirming someone’s change in direct deposit information - as quickly as possible. This also means we’re prone to performing actions quickly when driven by authority, urgency, or fear.

Payroll fraud emails exploit human nature by impersonating employees ‘just enough’ that it passes our eye tests. They also induce a sense of urgency, both because of their inherent financial nature and by including time-bound language in the email. Once a human gives their okay, context-free workflows process the direct deposit changes. Things are fast and no one needs to think too much, which is what the attackers bank on.

2. Malice in the fine print

Focusing on the attack itself, it’s worth noting that payroll frauds regularly slip past legacy defenses such as secure email gateways and anti-spam filters. This is because:

  • They don’t have malicious payloads or attachments: Current security solutions are well-trained to look for URLs or attachments that contain malware. Payroll frauds accomplish their mission without needing any malware.
  • They are targeted: Payroll fraud attacks are not like the mass-produced phishing emails of old, scatter-gunned at thousands of targets with scant care for where it sticks and where it twists. These are targeted attacks where the criminals often research their victims, include personal details in the email gathered from secondary research, and sometimes even time the emails when the target employee is on vacation, giving the fraudster more time to make a clean getaway.
  • They can’t be detected by any one ‘signal’: Simple pattern-matching or metadata based detection can’t catch payroll fraud attempts. These attacks involve elements of identity spoofing, behavioral anomalies, and linguistic prodding that can only be analyzed if security controls look at the actual content and context behind the communication.

Payroll fraud in action

Let’s look at an example of payroll fraud and pinpoint some questions that security technologies should ask to flag these types of attacks.


  • The email title is descriptive enough to put the recipient at ease, making them think, ‘Oh, this is Rupert Eddings requesting a DD change, business as usual’. Couple that with the domain of the sender, however, and things get suspicious. Why is Rupert sending this email from a gmail domain? Do we know if that’s his personal email address? How often has he communicated through that email address for work purposes before?
  • The language of the email doesn’t have any clear indicator of compromise, but there is an element of urgency - please make the change effective immediately. The email is being sent on the 30th of Jan, which means the person is trying their best to get the payment scheduled for the 31st to go to the new bank account.
  • Another factor to take into account is the writing style of the email. Is this how Rupert usually writes his emails? Does he greet and sign off this way? There’s no way to know this without an established baseline of writing styles, and this level of scrutiny certainly can’t be expected from payroll employees who have to look at hundreds of emails like this every day. But the security technologies of today have the breadth and depth of detection to perform this analysis.

This may well turn out to be a legitimate DD change request, but that’s the point of these attacks. Looking at the signals above - along with traditional email tests such as DMARC, SPF, and DKIM - should raise enough red flags for the security team to at least have a second look at this email and ascertain whether it’s an attack or whether Rupert is just being careless by mailing from his personal account.

We hope you found this overview of payroll fraud useful and not too sobering. If you’re interested to learn how Armorblox uses natural language understanding, deep learning, and statistical techniques to detect targeted payroll fraud attempts, schedule a demo today!

For more educational resources about email security, subscribe to email updates from Armorblox.

Subscribe to Email Updates