Payroll Diversion
A fraud in which criminals hijack or impersonate an employee's identity to redirect salary payments to an account they control.
Also known as: salary diversion, payroll fraud, direct deposit scam, HR fraud
Last reviewed: 1 June 2026
Payroll diversion attacks target HR and payroll teams, instructing them to update an employee's bank details to an account owned by the fraudster. The attack is typically delivered via a spoofed or compromised email appearing to come from the employee — sometimes using an email address that differs by only one character from the real one.
The fraudster may time the request to coincide with a holiday or a period when the real employee is unlikely to notice the missing salary immediately. By the time the employee raises the alarm, the funds have been moved onward through money-mule accounts.
Business email compromise (BEC) is the most common vector, but attacks also arise from compromised HR systems or phishing attacks against individual employees who then update their own payroll portal details. Mitigations include mandatory telephone verification of any bank-change request using a number from official HR records, and dual-approval workflows for payroll amendments.
Examples
- An HR manager receives an email that appears to be from a colleague asking for their salary to go to a new bank account — the sender address has an extra letter.
- An employee's payroll portal login is phished, and the attacker changes the direct-deposit bank account before the next pay date.