Armorblox is now part of Cisco

Articles & Thought Leadership | 9 min read

How to Spot Payroll Diversion Fraud: When Direct Deposits Go Rogue


Lauryn Cash
Lauryn Cash

Payroll diversion fraud causes financial loss to companies and employees. Learn more about payroll diversion fraud and how to protect your business.

payroll fraud illustration

Just when you think you’ve protected your business from ransomware, viruses, and vendor email compromise, yet another significant threat appears to harm your business and target employees: payroll diversion fraud.

Payroll diversion fraud is a big problem. The FBI’s Internet Crime Complaint Center (IC3)  reported that dollar loss due to direct deposit change requests increased 815% from 2018 to 2019, with adjusted losses of $1.7 billion.

In this blog, we’ll look at:

  • What is payroll diversion fraud?
  • What does payroll diversion fraud look like in action?
  • What makes payroll diversion fraud so successful?

What Is Payroll Diversion Fraud?

“Payroll fraud” encompasses many types of theft schemes, and payroll diversion fraud is one of them. There’s also deliberate worker misclassification by employers looking to skirt the law, pay rate alteration by malicious insiders, ‘ghost’ employee profiles, and more. Keeping a cybersecurity focus, we’ll look at payroll diversion fraud specifically today.

Payroll diversion fraud falls under Business Email Compromise (BEC) scams because scammers use email as their attack method of choice.

How does payroll diversion fraud work? First, scammers use social engineering tactics to build a phony email profile and steal a legitimate employee’s login credentials. Then, using the stolen credentials, the attacker emails the organization’s payroll, finance, or human resources department with a direct deposit change request.

The email provides new routing numbers and bank account information for an account controlled by the attacker. Once the funds are deposited, they’re quickly disseminated to multiple other accounts, eliminating traceability and preventing fund recalls.

To decrease the chance of discovery, the fraudsters add rules so the employee doesn’t receive any email alerts about changes to their deposit information.


What Does Payroll Diversion Fraud Look Like In Action?

Here’s an example highlighting some telltale signs that signify a payroll diversion fraud attack. Look for discrepancies in the following areas:


Email Title

The email title is descriptive enough to put the recipient at ease, making them think, “Oh, this is Rupert Eddings requesting a DD change, business as usual.” Couple that with the sender's domain, and things get suspicious.

Go deeper: Why is Rupert sending this email from a Gmail domain? Do we know if that’s his personal email address? How often has he communicated through that email address for work purposes before?


The language of the email doesn’t have any clear indicator of compromise, but there is an element of urgency: “Please make the change effective immediately.” The email is dated January 30, indicating the perpetrator is trying to get the payment into the new bank account in the January 31 pay period.

Writing Style

While this email could be a legitimate direct deposit change request, looking real is the goal of payroll diversion attacks.

Go deeper: Is this how Rupert usually writes his emails? Does he typically greet and sign off this way? There’s no way to know this without an established baseline of writing styles. However, you can’t expect this level of scrutiny from payroll employees who look at hundreds of emails daily.

Fortunately, today’s email security technologies have the detection capabilities to perform this analysis. Along with signals like communication history (how often does Rupert send emails to the payroll team from the Gmail account?), the above factors should have raised enough red flags for this company’s security team to take a closer look.

Importantly, email authentication checks like DMARC, SPF, and DKIM would not be useful analysis points in this case because the email was sent from a Gmail account that would pass all these tests.

What Makes Payroll Diversion Fraud So Successful? 

Why do employees keep falling for this scheme even after continual cybersecurity awareness training?

As with most other attacks classified under BEC, payroll diversion fraud sits at the intersection of business workflows, human nature, and security gaps, exploiting inherent flaws in each. Let’s take a closer look at these factors.

Business Workflows

To increase productivity, organizations implement automated processes to eliminate step-by-step human involvement. Machine-driven workflows can take care of the rest as long as a human gives the go-ahead.

Automation takes over once a finance or HR employee receives a direct deposit change request for processing. These workflows are highly efficient, but they also enable fraudulent payroll changes to enter the slipstream of thousands of legitimate payroll processes, almost guaranteeing their success.

Human Nature

Human beings process millions of things in parallel on an average day, like catching up on weekend emails, leading multi-team meetings, or picking up kids from school. Our brains make decisions with “just enough” information to make room to process more complicated tasks.

This means we perform repetitive actions — like confirming someone’s change in direct deposit information — as quickly as possible. We’re also prone to performing activities quickly when driven by authority, urgency, or fear.

Payroll diversion fraud emails exploit human nature by impersonating employees well enough to pass quick visual scans. They also induce urgency because of their inherent financial nature and by including time-sensitive language in the email.

Once a human gives their okay, context-free workflows process the direct deposit changes. Changes are made quickly and with little effort, which is what attackers count on.

Hacker Sophistication

Payroll diversion fraud regularly slips past legacy defenses such as secure email gateways and anti-spam filters because:

  • Fraudulent emails don’t have malicious payloads or attachments: Security technology solutions scan for URLs or attachments that contain malware. Payroll diversion schemes accomplish their mission without malicious links or attachments.
  • Fraudulent emails are targeted: Payroll diversion fraud attacks are not mass-produced phishing emails, scatter-gunned at thousands of targets. These are spear phishing attacks. Criminals often research their victims through social engineering, gathering personal information, and even emailing when the target employee is on vacation, giving the fraudster more time to avoid detection.
  • Fraudulent emails aren’t easy to detect: Simple pattern matching or metadata-based detection can’t catch payroll diversion fraud attempts. These attacks involve executive impersonation, identity spoofing, behavioral anomalies, and linguistic prodding. They can only be analyzed if security controls look at the actual content and context behind the communication.

Pro tip: Mondays and Tuesdays tend to be the most popular days of the week for payroll diversion scams, followed by the second and last weeks of the month. Be on the lookout for subject lines that include “Direct Deposit,” as they could be email fraud signals.

How to Avoid Payroll Diversion Fraud: 3 Tips

Lock Down Your Processes

Establish a step-by-step process for all requested payroll deposit changes, and ensure that your HR team is adequately trained on correct procedures. Consider using multi-factor authentication (MFA) to confirm an employee’s identity before granting change requests.

Double-Check Requests

Do not accept simple requests for payroll deposit changes, especially via phone, text, or email. Instead, require multiple approvals before proceeding, and instruct employees to review their accounts periodically for irregularities.

Use Advanced Email Security Software

Payroll diversion fraud is a concern for all businesses. However, preventing it can seem hopeless if you don’t have the proper people, processes, and technologies to combat it.

Using email security software like Armorblox could be one of the best decisions you ever make in protecting your business against payroll diversion fraud and BEC.

Armorblox uses natural language understanding, deep learning, and statistical techniques to detect targeted payroll diversion fraud attempts. Our advanced algorithms analyze thousands of signals across identity, behavior, and language to protect your human layer from compromise.

To learn more about Armorblox, take a quick product tour below.

Take a 5-minute product tour

Experience the Armorblox Difference

Get a Demo