Payroll diversion fraud: Preventing a direct deposit scam

Everything old is new again and security threats are no exception. Payroll diversion fraud, a type of direct deposit scam, has been around for a few years now. Unfortunately, there are signs of a resurgence, so organisations need to be prepared.

At Ceridian, we feel it’s our duty as human capital management (HCM) leaders to help keep payroll, HR, and business practitioners aware of potential threats so they can prevent them. Let’s take a closer look at how payroll diversion fraud happens, its indicators, and best practices for avoiding it.

Understanding payroll diversion fraud and how it happens

Payroll diversion fraud, which is also commonly known as direct deposit fraud, is a malicious scheme where cyber criminals try to redirect an employee's paycheck to an unauthorised bank account, typically under their control.

Like many of today’s security threats, payroll diversion fraud often starts with phishing emails. These messages are sent to employees, appearing to be sent by senior leaders or HR representatives, and contain urgent messages or threats to pressure the recipient to act quickly. They may also contain attachments or links that lead to fake websites that steal credentials.

Phishing emails have grown increasingly more sophisticated in recent years, making them harder for individuals to identify as fake. Emails might mimic the company’s branding, logo, and email format with stunning accuracy to appear valid.

Once an employee clicks on a link in a phishing email, they may be redirected to a fake website that looks like a legitimate company portal. Entering login details here gives fraudsters access.

After gaining access, the scammer changes the employee’s bank account details to divert the direct deposit funds to their account. They may also attempt to modify or delete notification settings to prevent the employee from receiving alerts about the change.

Identifying payroll diversion fraud attempts

While becoming increasingly difficult to detect, there are still two groups of telltale signs that often indicate a malicious actor is attempting payroll diversion fraud through phishing emails.

The first set of these signs is related to the nature and timing of the emails. One red flag is an employee receiving an unexpected email from HR or senior personnel asking for payroll-related changes or information. These phishing emails will also often pressure employees to act quickly or confidentially. Another common sign is if the email requests personal or financial information that HR, payroll, or management should already have.

Looking at the mechanics of an email closely can provide other clues that payroll diversion fraud is at hand. Generic greetings like “Dear employee” instead of their name, spelling and grammar mistakes, and email addresses not matching the sender’s name are all often found in phishing emails. In addition, links in these emails will redirect to unfamiliar websites that don’t look like a company’s official portal.

Preventing payroll diversion fraud

Employee education is one of the most important things organisations can do to prevent all kinds of security threats. The tips above, for example, are only as effective as how widely they are shared. Regularly train employees about the risks of phishing emails and the importance of not clicking on suspicious links. And alert employees to pay attention to payroll-related notifications and to communicate any payroll changes in person or through a secure, official channel.

Password reuse also makes businesses vulnerable to direct deposit scams. If employees use the same password across multiple platforms, and one gets compromised, it can lead to unauthorized access to other accounts. Education can help here too, along with organisational rules for password setting and changing.

But the onus for prevention doesn’t rest solely on employee habits. Organisations can modify their direct-deposit approval process. Multiple parties, including the payroll administrator, should verify and approve any request to change direct deposit information. This multi-step approval process can prevent unauthorised changes.

And multifactor authentication (MFA) is an effective way to prevent all kinds of fraud, including direct deposit scams. Ensure users verify their identity by first entering their username and password and then entering a time-based one-time code they receive by text message or phone call. This provides an extra layer of security for user logins.

In addition, businesses should set up internal alerts for any changes in bank account details. Make sure payroll system end users are trained to monitor for changes to direct deposit information.

As fraudsters become more sophisticated – and history tells us they will – preventing payroll diversion fraud and other scams targeting the workforce will require the efforts of employees and employers alike. Even if fraud has never haunted an organisation, now is a great time to make best practice preventative measures routine and to stay informed about returning and emerging threats.