Is payroll diversion a form of Business Email Compromise?

Yes. Payroll diversion is a type of Business Email Compromise because it uses impersonation and trust to manipulate business processes and redirect payments.

Business Fraud • Payroll & Employee Impersonation

Payroll Diversion Scam: How Employee Paychecks Get Redirected

Q: What is a payroll diversion scam?

A payroll diversion scam is when an attacker impersonates an employee and tricks a company into changing direct deposit information so wages are sent to a fraudulent bank account.

Payroll diversion scams trick companies into changing employee direct deposit details, allowing attackers to steal wages before anyone notices.

Start Business Fraud Training Back to Business Articles

Employee impersonation awareness

Payroll protection

Payment fraud prevention

Quick takeaway

Never change direct deposit information based on email alone. Always verify identity through a trusted internal process or known contact method.

Verified by GonePhishing.com

A payroll diversion scam is a form of Business Email Compromise (BEC) where a criminal impersonates an employee and convinces a company to update direct deposit information. Once the change is made, the employee’s paycheck is sent to the attacker’s bank account instead of the real employee.

These scams often go unnoticed until the employee reports a missing paycheck. By that point, the funds may already be withdrawn or transferred, making recovery difficult.

What is a payroll diversion scam?

A payroll diversion scam is a targeted fraud attack where an attacker pretends to be an employee and requests a change to payroll or direct deposit details. The attacker typically provides new banking information and pressures HR or payroll staff to process the change quickly.

How payroll diversion scams work

Most payroll diversion scams follow a predictable pattern. The attacker gathers employee information, impersonates the employee, and submits a believable request to change payment details.

The attacker identifies an employee and gathers basic details (name, role, email style)
They send a message pretending to be that employee
The message requests a direct deposit or payroll update
New banking details are provided
The company updates payroll records without proper verification
The next paycheck is sent to the attacker’s account

Common payroll diversion scam scenarios

Email impersonation: A message appears to come from an employee requesting a deposit change
Account compromise: A real employee email account is hacked and used to submit the request
Lookalike domains: The attacker uses an email address that closely resembles the real employee’s address
HR targeting: Payroll or HR staff receive repeated requests to process changes quickly

Red flags of payroll diversion scams

Urgent requests to change direct deposit information
Requests sent only by email without prior notice
New bank details that differ significantly from previous records
Emails that discourage verification or create urgency
Slightly altered email addresses or domains
Requests that bypass standard HR or payroll procedures

Why payroll diversion scams are effective

These scams succeed because they target routine business processes. Payroll updates are common, and employees frequently change bank accounts. Attackers take advantage of that normal activity and rely on staff being busy or trusting the request without verification.

In some cases, attackers also use real employee data or compromised accounts, making the request even more convincing.

How to prevent payroll diversion scams

Require identity verification for all payroll changes
Confirm requests using a known phone number or internal system
Never rely on email alone for direct deposit updates
Use secure HR or payroll platforms instead of manual changes
Enable multi-factor authentication for employee accounts
Train HR and payroll staff to recognize impersonation attempts
Require approval workflows for sensitive changes

What to do if payroll fraud occurs

If a payroll diversion scam is discovered, act immediately. Contact your bank, report the fraudulent transfer, and attempt to reverse or freeze the transaction. Notify internal leadership, document the incident, and determine whether employee data or systems were compromised.

You should also review payroll procedures, update security controls, and retrain employees to prevent future incidents.

Payroll diversion vs other BEC scams

Payroll diversion is one type of Business Email Compromise. Other BEC scams include executive impersonation, vendor invoice fraud, and wire transfer scams. While the tactics vary, all BEC attacks rely on trust, impersonation, and manipulation of business processes.

Learn more about BEC here: What Is Business Email Compromise (BEC)?