Fake Payroll Update Email Scam
Fraudsters impersonate employees or HR systems to redirect salary payments to accounts they control, often by submitting fake direct deposit change requests.
Last reviewed: 1 June 2026
What this scam is
Fake payroll update email scams involve a fraudster posing as an employee and contacting the HR or payroll department to request a change of bank account details for salary payment. The change appears routine — employees do change their bank accounts — but the new account is controlled by the fraudster.
When the next payroll run processes, the employee's salary is deposited into the fraudster's account rather than the employee's genuine account. The employee typically does not discover this until payday, by which point the funds may already have been withdrawn.
This scam may also target HR systems directly: compromised or fake HR platform credentials are used to modify direct deposit details within the payroll software itself, bypassing any email-based controls.
How it works
The fraudster sends an email to the HR or payroll contact, posing as a member of staff. The email requests a bank account change in advance of the next pay cycle, citing a bank change, account closure, or account error. The request may cite the employee's correct name, job title, and employee number — data available from company directories or prior access.
The email may originate from a look-alike domain ([email protected] rather than @company-name.com) or from a free email account with the employee's name. Some attacks compromise the employee's real email account to make the request appear entirely legitimate.
When the payroll team processes the next run without an independent verification step, the salary is redirected.
Why this scam works
Payroll change requests are routine. HR teams process them regularly, and the emotional pressure to ensure employees are paid on time means requests made near a payroll deadline are particularly likely to be actioned quickly. The social cost of failing to pay someone on time — causing real hardship — creates a bias towards processing rather than questioning.
Common red flags
- Email from a domain that closely resembles but is not identical to the company domain
- Request comes from a free email provider rather than the company email
- Bank change request immediately before a payroll run
- Employee is unreachable via their usual internal communication channels to confirm
- Request cites an unusual reason: 'my bank has been hacked', 'my account was frozen'
- Pressure to process before the next payroll cut-off
- New account is at a different bank from all previous payroll history
Sanitized example messages
Illustrative, sanitized examples. Personal details are replaced with placeholders such as [phone number] and [fake link].
Hi [payroll contact], could you please update my direct deposit details? I have changed banks. New account: [fraudster account details]. Please update before this month's run.
I need to change my payroll bank account urgently — my existing bank account has been compromised and I cannot receive payments there. Please update to the following account immediately.
Team — please action a payroll redirect for [employee name] effective this month. New account details attached. [fake email footer]
Common variations
- HR system compromise — attacker logs into payroll software using stolen credentials and changes details directly
- Vendor payroll scam — accounts payable team targeted with fake contractor payment account change
- Mass payroll redirect — attacker compromises the payroll administrator account and redirects multiple employees
How to verify before you act
Implement a mandatory out-of-band verification for every bank detail change: call the employee on a known number from your HR records — not any number provided in the change request email. Require a second sign-off for payroll changes. Restrict access to payroll systems to named individuals with MFA. Send payslip confirmations to both the old and new email address on file when account details change.
Payment methods used
- Payroll bank transfer (BACS / ACH)
Who is usually targeted
- Organisations with centralised HR and payroll functions
- Businesses where payroll requests are processed by email without out-of-band verification
- Companies with many remote employees where in-person verification is impractical
What to do immediately
- If you receive a payroll change request, call the employee directly on a known number before processing
- If a misdirected payment is discovered, contact your bank immediately to attempt a recall
- Lock access to the payroll system and review audit logs if a system-level change is suspected
- Report to your national fraud authority and provide bank details to assist with investigation
- Notify the affected employee immediately so they can manage their own finances
How to prevent it
- Require independent phone verification for every payroll bank detail change
- Implement dual-authorisation for payroll updates
- Enable multi-factor authentication on all payroll and HR system accounts
- Send confirmation to employees' existing registered email when account details are updated
- Train HR teams to recognise urgency as a red flag in payroll change requests
Evidence to preserve
- The original email requesting the change, including full email headers
- The new bank account details provided
- Payroll records showing the redirected payment
- System access logs if a payroll platform was involved
- Any previous correspondence with the employee for comparison
Where to report it
- Action Fraud (UK) — UK national fraud & cybercrime reporting centre
- FTC ReportFraud (US) — US Federal Trade Commission fraud reports
- FBI IC3 (US) — US Internet Crime Complaint Center
- Scamwatch (Australia) — Australian competition & consumer reporting
- Your bank's fraud line — Use the number on the back of your card or in your banking app — never a number the caller gives you
Always verify reporting routes and emergency contacts on the official government or agency website for your country.
Frequently asked questions
An employee says they did not request the change — what do we do?
Immediately contact your bank to recall the misdirected payment. File a fraud report with your bank and your national fraud authority. Investigate whether the employee's email was compromised and coordinate with your IT security team. Change passwords and review access logs for the payroll system.
How quickly can a misdirected payroll payment be recovered?
Speed is critical. Contact your bank on the same day the misdirected payment is identified. Banks can sometimes freeze or recall payments to accounts flagged for fraud, but the window is short. Once funds are withdrawn from the fraudster's account, recovery is much less likely.