CIVRA Get Started
Threats explained

What Is the Payroll Diversion Scam and How Do You Block It?

February 17, 2026 4 min read The CIVRA Team
The short answer

A payroll diversion scam is when an attacker poses as an employee and emails HR or payroll asking to change their direct deposit details, sending the paycheck to a bank account the thief controls. It works because the request looks routine and the email seems to come from a real coworker. You block it by verifying every banking change through a second channel and screening inbound email for impersonation.

A payroll diversion scam is a form of fraud where someone pretends to be one of your employees and asks HR or payroll to update their direct deposit information. The new account belongs to the attacker, so the next paycheck lands in their hands instead of your team member's.

It is quiet, low-tech, and surprisingly effective. There is no malware and no obvious red flag. Just a polite request that looks like ordinary admin work.

How the scam actually works

The attacker does not need to break into anything. They study your company, find an employee name, and send a message that reads like a normal request.

A typical sequence looks like this:

  1. The attacker spoofs or imitates an employee's email address, sometimes using a free webmail account with the person's real name.
  2. They email payroll or HR saying they switched banks and need their direct deposit updated.
  3. They supply a new routing and account number that belongs to them.
  4. Payroll makes the change. The next paycheck is gone before anyone notices.

By the time the real employee asks where their pay went, the money has usually been moved out of reach.

Why it slips past normal defenses

This scam is a cousin of business email compromise, and it succeeds for the same reasons.

  • No malicious link or attachment. Spam filters look for known bad signatures. A plain text request to change banking details has none.
  • It mimics a routine task. Payroll changes happen all the time, so the request does not feel unusual.
  • It exploits trust, not technology. The message leans on a familiar name and a reasonable story.

This is exactly the gap that spam filters miss. They are built to catch volume and obvious threats, not a single tailored message.

The warning signs to train your team on

Teach anyone who touches payroll to slow down when they see these signals.

  • A banking or direct deposit change requested only by email, with no prior conversation.
  • Urgency, such as a claim that the change must happen before the next pay run.
  • A reply-to address that differs slightly from the employee's usual one.
  • A request that the employee avoid calling, or says they are hard to reach.
  • A new account at a bank the employee has never mentioned.

None of these alone proves fraud. Together they should trigger a verification step every time.

How to block it for good

The single most effective defense costs nothing.

Verify every banking change out of band. When a request to change direct deposit arrives, confirm it using a phone number you already have on file, not one in the email. A 30-second call ends the scam.

Beyond that:

  • Require a second person to approve any payroll account change.
  • Keep a known-good contact list separate from email so verification is easy.
  • Document a simple written policy so no one feels awkward pausing a request.
  • Screen inbound email for impersonation before it reaches HR.

CIVRA helps with that last layer. It analyzes sender identity and behavior, flags look-alike domains, and reads the intent of a message, so a fake payroll request gets caught before your team ever has to judge it. See how that works on the features page.

What to do if a paycheck was already diverted

Move fast. Speed is what limits the damage.

  1. Contact your bank and the receiving bank immediately to attempt a recall.
  2. Make the affected employee whole and reissue their pay.
  3. Reset the impersonated account's password and check for forwarding rules.
  4. Report the incident to local authorities and your country's fraud reporting body.
  5. Review how the request got through and tighten your verification process.

FAQ

Who do payroll diversion scammers usually target?

They target whoever can change direct deposit details, which is typically HR staff or payroll administrators at small companies without a dedicated security team. The impersonated victim is often a regular employee, not an executive.

Is a payroll diversion scam the same as business email compromise?

It is a specific type of BEC. Instead of asking for a wire transfer, the attacker asks to redirect a paycheck. The tactics, impersonation and a believable request, are the same.

Can a spam filter stop a payroll diversion scam?

Usually not. These emails carry no malicious links or attachments, so traditional filters see nothing wrong. Stopping them requires impersonation analysis and a human verification step.

What is the fastest way to prevent this scam?

Require out-of-band verification for every banking change. Call the employee on a known number before updating any direct deposit details, and have a second person approve the change.

Want fewer of these requests reaching your team at all? Start with CIVRA or compare plans on our pricing page.

Stop the email that gets through.

CIVRA catches the targeted phishing and business email compromise your filter misses — built for small teams without a security department.

Start free →

← All posts