Payroll Diversion: The BEC Scam That Targets HR Teams

Lisa Brennan··7 min read
An HR professional reviewing payroll documents at a desk

It's payday, and an employee notices their salary never arrived. After a frantic call to HR, the truth emerges: two weeks earlier, someone updated the employee's direct-deposit details in the payroll portal, and the paycheck landed in a stranger's prepaid card account. No one in HR did anything that looked wrong at the time. They simply processed a routine banking-change request that looked exactly like every other one.

This is payroll diversion, a quiet but costly variant of business email compromise (BEC). Instead of chasing a big wire transfer, attackers redirect the steady stream of employee paychecks - and HR and payroll teams are the gatekeepers they're trying to fool.

It rarely makes headlines the way a multimillion-dollar wire fraud does, but it's relentless, easy to repeat, and devastating to the individual employee who loses a month's salary. For the organization, it's both a financial loss and a painful trust problem: staff expect their employer to protect their pay. Understanding how the scheme works is the first step to closing the gap it exploits.

How Payroll Diversion Works

Unlike the headline-grabbing wire-fraud version of BEC, payroll diversion targets the recurring, predictable flow of salaries - which is exactly what makes it so repeatable. The scam typically runs one of two ways, and often both:

  • Credential phishing. Attackers send employees a convincing email - a fake "your HR portal password is expiring" or "review your benefits" message - to harvest their self-service portal login. With those credentials, the attacker logs in and changes the employee's bank details directly. The FBI's Internet Crime Complaint Center (IC3) has documented this pattern in detail.
  • HR impersonation. Attackers email the HR or payroll department posing as an employee, writing something like "I've switched banks - please update my direct deposit before the next run." The request reads as ordinary, and a helpful team member makes the change.

Once the bank details are swapped, attackers often add a forwarding or deletion rule to the compromised mailbox so the victim never sees the confirmation alerts. The IC3 reported that losses tied to payroll-diversion BEC complaints climbed sharply, with education, healthcare, and transportation among the hardest-hit sectors.

Payroll diversion succeeds because changing your bank details is a normal, expected request. The attacker isn't breaking a process - they're riding one that runs smoothly every pay cycle.

Why HR and Payroll Are Prime Targets

Finance teams have grown wary of suspicious wire requests, but payroll changes often fly under the radar. A direct-deposit update is low-drama and routine, so it rarely gets the scrutiny a large invoice would. Self-service HR portals add another doorway: a single phished employee login is enough to reroute that person's pay, and a compromised HR account can affect many.

There's also a timing advantage for the attacker. Direct-deposit changes are typically made well ahead of a pay run and then forgotten, so the fraudulent edit sits quietly until payday - giving the criminal a comfortable window to prepare the receiving account and cash out the moment funds land. And because payroll touches deeply personal data, employees and HR alike tend to handle these requests with a helpful, accommodating mindset rather than a suspicious one, which is exactly the posture social engineers rely on.

The amounts per incident are modest compared with a wire-fraud BEC, which is precisely why the scheme persists. It's low-friction, repeatable, and easy to miss until payday.

What a Real Attack Looks Like

Walk through a typical case and the gaps become obvious. It starts weeks before payday with a phishing email blasted to staff - "Action required: your payroll portal session has expired, sign in to confirm your details." The link leads to a pixel-perfect clone of the company's HR portal. A handful of employees enter their credentials, and the attacker now has working logins.

The attacker signs into one of those accounts and changes the direct-deposit details to a prepaid card or money-mule account. Crucially, they also create an inbox rule that auto-deletes or forwards any message mentioning "payroll," "direct deposit," or "bank," so the employee never sees the system's confirmation email. From the payroll team's side, nothing looks wrong - the change came from inside the authenticated portal, by the employee themselves.

The fraud surfaces only when the paycheck fails to arrive. By then the funds have usually been withdrawn or moved on, and recovery is difficult. The FBI's IC3 has documented exactly this sequence and urges victims to report incidents promptly, because speed is one of the few factors that improves the odds of clawing money back.

Every step in a payroll-diversion attack mimics legitimate activity. There is no malware alert and no obvious intrusion - just a normal-looking banking change made through a normal-looking login.

The Controls That Stop It

Payroll diversion is defeated by a simple principle: never change where money goes based solely on an inbound request. Build that into your process.

  1. Out-of-band verification for all banking changes. Confirm every direct-deposit change through an independent, known channel - a callback to the employee's number on file or an in-person check - never by replying to the request that prompted it.
  2. Notify the employee on every change. Send an automatic alert (ideally to a secondary channel) whenever bank details are updated, so a fraudulent change gets caught fast even if a portal login was stolen.
  3. Protect the self-service portal. Require MFA on payroll and HR systems, and watch for logins from unusual locations or devices.
  4. Add friction to the change window. A short hold or secondary approval before a new bank account becomes active gives time to catch fraud before the next pay run.
  5. Watch for inbox manipulation. Alert on newly created forwarding or delete rules in HR and employee mailboxes - a classic sign an account has been taken over.

Process controls only fire if people follow them under pressure. A documented verification step is worthless if a busy payroll clerk skips it because the request "looked fine," so the goal is to make verification the path of least resistance rather than an optional extra. empowsec's phishing simulation and security awareness training lets you target HR and payroll teams with the exact lures they face - portal credential phishing and impersonated banking-change requests - so verifying out-of-band becomes second nature. Employees who have already encountered a realistic payroll-change lure in a simulation are far more likely to pause and pick up the phone when the real one arrives. The teachable-moment debrief after a simulated slip turns a near-miss into lasting muscle memory, well before a real paycheck goes missing, and report-phishing tools let staff flag a suspicious banking-change request in one click so security can investigate before any funds move.

Key Takeaways

  • Payroll diversion is a BEC variant that reroutes direct-deposit paychecks via phished portal credentials or HR impersonation - a scheme the FBI/IC3 has warned about for years.
  • HR and payroll are targeted because banking-change requests look routine and escape the scrutiny applied to large wires.
  • The decisive control is out-of-band verification of every banking change, plus change alerts, portal MFA, and approval friction.
  • Watch for mailbox forwarding/deletion rules that hide fraudulent-change confirmations from the victim.

For the FBI's guidance on this and related schemes, see the FBI page on Business Email Compromise.

Share: