Payroll Fraud: When Direct Deposits Go Rogue

Abhishek Iyer
Written by Abhishek Iyer
News and Commentary /
Payroll Fraud: When Direct Deposits Go Rogue

Ah, salary day. It feels great when you’re coasting home after a hard day at the cubicle, hitting all the green lights, knowing that you’re getting paid today. Until you discover why Target declined your ATM card on the way home: You’ve been a victim of payroll diversion fraud.

Payroll diversion fraud is a problem.

How big of a problem is it? The FBI reported that dollar loss due to direct deposit change requests increased by 815% from 2018 to 2019, so it’s more “hurricane in the Atlantic” than “storm in a teacup.”

In this blog, we’ll learn:

  • What is payroll diversion fraud?
  • Why is payroll diversion fraud successful?
  • How do we spot payroll diversion fraud in action?

What Is Payroll Diversion Fraud?

“Payroll fraud” encompasses many types of theft schemes. There’s deliberate worker misclassification by employers looking to skirt the law, pay rate alteration by malicious insiders, ‘ghost’ employee profiles, and more. Keeping a cybersecurity focus, we’ll be looking at payroll diversion fraud specifically today.

Payroll diversion fraud happens when an attacker emails an organization’s payroll, finance, or human resources department. The email is designed to look like it came from a legitimate employee, claiming that they’ve updated their direct deposit information.

The email provides new bank routing and account numbers for an account controlled by the attacker. Once the funds are deposited, they’re quickly disseminated to multiple other accounts controlled by the attacker, eliminating traceability and preventing fund recalls.


Why Is Payroll Diversion Fraud Successful?

Why do employees keep falling for this scheme even after continual cybersecurity awareness training?

As with most other attacks classified under Business Email Compromise (BEC), payroll diversion fraud sits at the intersection of business workflows, human nature, and security gaps, exploiting inherent flaws in each one. Let’s take a closer look at these factors.

Business Workflows

To increase productivity, organizations implement automated processes to eliminate step-by-step human involvement. As long as a human gives the go-ahead, machine-driven workflows can take care of the rest.

Once a finance or HR employee receives a direct deposit change request for processing, automation takes over. These workflows are highly efficient, but they also enable fraudulent payroll changes to enter the slipstream of thousands of legitimate payroll processes, almost guaranteeing their successful implementation.

Human Nature

Human beings process millions of things in parallel on an average day, like catching up on weekend emails, leading multi-team meetings, or picking up kids from school. Our brains make decisions with “just enough” information to make room to process more complicated tasks.

This means we perform repetitive actions — like confirming someone’s change in direct deposit information — as quickly as possible. We’re also prone to performing activities quickly when driven by authority, urgency, or fear.

Payroll diversion fraud emails exploit human nature by impersonating employees just well enough to pass quick visual scans. They also induce urgency because of their inherent financial nature and by including time-sensitive language in the email. Once a human gives their okay, context-free workflows process the direct deposit changes. Changes are made quickly and with little effort, which is what the attackers count on.

Hacker Sophistication

Payroll diversion fraud regularly slips past legacy defenses such as secure email gateways and anti-spam filters because:

  • Fraudulent emails don’t have malicious payloads or attachments: This is key. Security technology solutions scan for URLs or attachments that contain malware. Payroll diversion schemes accomplish their mission without malicious links or attachments.
  • Fraudulent emails are targeted: Payroll diversion fraud attacks are not mass-produced phishing emails, scatter-gunned at thousands of targets. These are spear phishing attacks. The criminals often research their victims through social engineering, gathering personal information, and even emailing when the target employee is on vacation, giving the fraudster more time to avoid detection.
  • Fraudulent emails aren’t easy to detect: Simple pattern matching or metadata-based detection can’t catch payroll diversion fraud attempts. These attacks involve elements of executive impersonation, identity spoofing, behavioral anomalies, and linguistic prodding. They can only be analyzed if security controls look at the actual content and context behind the communication.

Pro tip: Monday and Tuesday tend to be the most popular days of the week for payroll diversion scams, followed by the second and last weeks of the month. Be on the lookout for subject lines that include “Direct Deposit” as they could be email fraud signals.

How to Spot Payroll Diversion Fraud in Action

Here’s an example that highlights some telltale signs that signify a payroll diversion fraud attack. Look for discrepancies in the following areas:


Email Title

The email title is descriptive enough to put the recipient at ease, making them think, “Oh, this is Rupert Eddings requesting a DD change, business as usual.” Couple that with the domain of the sender, however, and things get suspicious.

Why is Rupert sending this email from a Gmail domain? Do we know if that’s his personal email address? How often has he communicated through that email address for work purposes before?


The language of the email doesn’t have any clear indicator of compromise, but there is an element of urgency: “Please make the change effective immediately.” The email is dated January 30, indicating the perpetrator is trying to get the payment into the new bank account in the January 31 pay period.

Writing Style

While this email could be a legitimate direct deposit change request, looking real is the goal of payroll diversion attacks.

Is this how Rupert usually writes his emails? Does he typically greet and sign off this way? There’s no way to know this without an established baseline of writing styles, and this level of scrutiny can’t be expected from payroll employees who look at hundreds of emails every day.

Fortunately, today’s email security technologies have the detection capabilities to perform this analysis. Along with signals like communication history (how often does Rupert send emails to the payroll team from the Gmail account?), the above factors should have raised enough red flags for this company’s security team to take a closer look. Importantly, email authentication checks like DMARC, SPF, and DKIM would not be useful analysis points in this case, because the email was sent from a Gmail account and would pass all these tests (even though it’s a bad email).

Payroll diversion fraud is a concern for all businesses. Preventing it can seem hopeless if you don’t have the proper people, processes, and technologies in place to combat it. If you’re interested in learning how Armorblox uses natural language understanding, deep learning, and statistical techniques to detect targeted payroll diversion fraud attempts, schedule a demo today!

For more educational resources about email security, subscribe to email updates from Armorblox.

Subscribe to Email Updates

Read This Next