Fake Payroll Update Requests on Slack
Fraudsters use Slack direct messages to impersonate employees and request direct-deposit changes, diverting wages by exploiting workspace trust.
Part of: Fake Payroll Update Email Scam
Last reviewed: 1 June 2026
Slack's closed-workspace feel makes a direct message from a colleague seem inherently genuine, which payroll diversion scams exploit. An attacker who compromises an account or joins as an external connection can message payroll or HR to request a bank-detail change with less scrutiny than a formal process would apply.
The casual rhythm of Slack encourages quick handling of routine-seeming requests. A recognised name in a direct message can prompt payroll staff to update details without the independent confirmation that prevents diverted wages.
How this scam works on Slack
After entering the workspace, the attacker direct-messages payroll or HR posing as an employee, asking to update their direct-deposit details, often citing a new bank and requesting the change before the next pay run.
The direct-message format isolates the request from colleagues and pressures a fast reply. The recognised profile reduces suspicion, and the attacker supplies new account details expecting them to be applied without a confirming call.
If payroll updates the record, the next salary payment is diverted to the criminal. The diversion is typically discovered only when the genuine employee reports missing pay.
Common red flags
- A Slack direct message requesting a direct-deposit change
- A request timed just before a pay run
- An external connection using an employee's name
- A bank-detail change requested only through chat
- A tone or behaviour unlike the employee's norm
- Pressure to apply the change quickly
How to protect yourself
- Verify payroll changes by phone with the employee on a known number
- Never action direct-deposit changes from a Slack message alone
- Require a secondary verification step for all payroll changes
- Identify and limit external connections in the workspace
- Enable multi-factor authentication for all members
- Apply a confirmation window before new bank details take effect
How to report it
- Report the suspicious account to your workspace administrator
- Notify your bank immediately if any pay was diverted
- File a report with your national cybercrime or fraud authority
Frequently asked questions
Can a Slack message be trusted to change an employee's payroll bank details?
No. A workspace can be entered through a compromised account or external connection, and names can be imitated. Confirm any direct-deposit change by phone with the employee on a known number before updating payroll.