Fake Payroll Update Emails on Email
Fraudsters email payroll or HR staff impersonating employees to change direct-deposit details, diverting wages to an account they control.
Part of: Fake Payroll Update Email Scam
Last reviewed: 1 June 2026
Payroll diversion scams use email to impersonate an employee requesting a change to their direct-deposit bank account. A single convincing message to payroll or HR can reroute someone's wages to a criminal account, often unnoticed until the employee reports a missing paycheck.
Email is the natural channel because payroll changes are routinely requested and processed there. A message that appears to come from a real employee, referencing normal payday timing, can pass for a legitimate update if the organisation lacks a strict verification step.
How this scam works on Email
The attacker, often using a spoofed or lookalike address or a compromised employee mailbox, emails payroll or HR asking to update their direct-deposit details. The request is polite and routine, sometimes explaining the change as a new bank or a closed account.
They supply new account details and may ask that the change take effect before the next pay run. The message mimics the employee's tone and references plausible details to appear genuine, and it relies on payroll processing the update without independently confirming it.
If the change is made, the next salary payment goes to the criminal's account. The fraud is typically discovered only when the genuine employee notices their pay did not arrive, by which point the funds have been withdrawn.
Common red flags
- An emailed request to change an employee's direct-deposit details
- A sender address that differs subtly from the employee's real one
- A request timed just before a pay run
- A change explained vaguely as a new or closed bank account
- Slightly unusual phrasing compared with the employee's normal emails
- Pressure to apply the change quickly
How to protect yourself
- Verify every bank-detail change by speaking to the employee directly
- Use a known internal phone number, not contact details in the email
- Require a secondary verification step for all payroll changes
- Flag external emails so spoofed employee senders stand out
- Apply a brief hold and confirmation window for new bank details
- Enable multi-factor authentication on employee and HR mailboxes
How to report it
- Report the incident to your national cybercrime or fraud centre
- Notify your bank immediately to attempt recall of any diverted pay
- Alert HR, payroll, and IT security and preserve the email
Frequently asked questions
An employee emailed payroll to change their bank details. How do we confirm it is really them?
Do not rely on the email. Call the employee on a known internal number, or confirm in person, before changing any direct-deposit details. A spoofed or compromised account can send a convincing request, so independent verification is essential.