Watch Your Payroll: How to Spot and Prevent Payroll Diversion Fraud
By Eddy Team — September 15, 2025
Imagine logging in to find your paycheck missing—not because you didn’t work, but because a cybercriminal intercepted it first. Payroll diversion fraud is on the rise, costing U.S. workers and companies millions annually, as reported by the FBI’s IC3. Here’s what you need to know to stay protected.
What Is Payroll Diversion Fraud?
Payroll diversion fraud is a cybercrime where hackers reroute an employee’s direct deposit paycheck into an account they control. It usually takes place entirely online and, if undetected, means an employee’s pay simply doesn’t show up on payday.
The Federal Bureau of Investigation (FBI) released an article on building a digital defense against phishing scams targeting electronically deposited paychecks.
How Do Criminals Commit Payroll Diversion?
According to the FBI and the Department of Homeland Security, criminals use a strategy known as Business Email Compromise (BEC) to launch payroll diversion attacks. Here’s a step-by-step look at how it works:
- Phishing for Credentials: Hackers send convincing phishing emails to employees, tricking them into entering their payroll portal login information on a fake website.
- Account Takeover: With stolen credentials, the criminal logs into the real payroll system.
- Changing the Direct Deposit: The criminal quickly replaces the employee’s legitimate bank account information with an account or prepaid card they control.
- Suppressing Notification: Often, the hacker modifies email rules to delete alerts, so the victim doesn’t get notified their payroll details have changed.
- Payday Theft: On the next payday, the victim’s wages are diverted to the criminal’s account—sometimes unnoticed until the pay is missed.
The FBI states that these attacks are fast-growing and affect every sector—from education and healthcare to small businesses and government agencies. Reported losses totaled at least $8.3 million in just 18 months, though the real number is likely much higher due to underreporting. The complaint center saw an 815% increase in payroll diversion incidents in just a year and a half.
How Can Employers & Employees Prevent Payroll Diversion?
For Employers
- Employee Training: Teach employees how to spot phishing emails and warning signs. Simulated phishing tests can help keep everyone sharp.
- Out-of-Band Verification: Require changes to payroll or bank information to be verified in person or by phone—not by email alone.
- Two-Factor Authentication (2FA): Make sure your HRIS and payroll portal require 2FA so that a password alone isn’t enough to get in.
- Monitor Payroll Changes: Set up alerts for any changes to direct deposit details and review them quickly.
- Restrict Access: Only allow payroll access to those who need it, and review permissions regularly.
For Employees
- Verify Requests: If you get an email—no matter how “official” it looks—wanting you to update bank details or login to a portal, call HR or your payroll provider at a trusted number to verify.
- Use Strong, Unique Passwords: Don’t reuse passwords across systems.
- Two-Factor Authentication (2FA): Protect your email account with 2FA so hacker's can't use your email account to reset the password of your other accounts
- Don’t Click Suspicious Links: If something feels wrong with an email claiming to be from HR or payroll, don’t click. Go directly to your company’s website or ask in person.
- Report Suspicious Activity: If you suspect something odd—or if your paycheck is missing—notify your HR department and payroll provider right away.
Who Is Liable for Missing Payroll Funds in the Event of Fraud?
When payroll funds are stolen through diversion fraud, the legal responsibility for making sure employees receive their earned wages falls squarely on the employer. Employment laws require that businesses pay employees what they are owed, regardless of whether payroll was misdirected by cybercriminals. This means that if a paycheck is diverted into a fraudster’s account, the employer must still ensure the employee receives their full payment—promptly and in full.
Payroll and HR service providers, along with banks, generally serve as facilitators and rarely bear direct responsibility for reimbursing employees, unless the loss resulted from their own negligence. Most payroll provider agreements state clearly that the employer retains the obligation to pay wages, even if fraud occurs during payment processing. Even if an employee fell victim to a phishing scheme—enabling the fraud—the employer cannot withhold wages or deduct losses from an employee’s future pay.
After paying the affected employee, employers can attempt to recover stolen funds through the bank, the payroll provider (if their error contributed), or insurance. However, they cannot delay or avoid payment to the employee during this process. Failing to promptly pay employees—regardless of the theft—can expose the employer to penalties, regulatory action, or even lawsuits in many jurisdictions. This clear liability is why it’s so important for organizations to implement strong payroll security practices and have a response plan if diversion fraud occurs.
What to Do if You’re a Victim
If your paycheck goes missing or you discover unauthorized changes to your payroll info:
- Act Immediately: Contact your payroll provider and bank. They may be able to reverse the transaction. Criminals often use accounts tied to gift cards, so the while the transaction reverse can be requested, unfortunately the money is already gone.
- Report to the FBI IC3: File a complaint at www.ic3.gov. The FBI tracks fraud trends and may be able to assist.
- Protect Your Accounts: Change your passwords and set up 2FA to protect your account from future attacks.
How Eddy helps
Eddy protects your business and employees from payroll diversion fraud by layering robust security features throughout the payroll process. Every user must sign in with two-factor authentication (2FA), effectively blocking most account takeover attempts—even if someone’s password is compromised.
When an employee’s direct deposit details are updated, the change is immediately flagged and requires explicit approval from an administrator before payroll can proceed, ensuring no unauthorized updates slip through. Eddy also uses role-based access controls (RBAC) to ensure only the right personnel have access to sensitive payroll data, and automatic session timeouts help prevent risks from unattended logins.
Every payroll and HR change is comprehensively logged with user and timestamp details, so you always have a clear audit trail of who made which changes and when. With SOC 2 compliance and real-time alerts sent to HR and payroll admins about critical changes, Eddy ensures your payroll is secure and aligned with industry best practices—effectively protecting your team from payroll diversion fraud at every step.
Resources
- FBI Payroll Diversion Scam Alerts: The FBI offers up-to-date warnings and prevention tips on its website.
- IC3 (Internet Crime Complaint Center): National reporting hub for cybercrime—essential if you suspect payroll fraud.
More information can also be found from payroll providers, HR associations, and cybersecurity agencies.
Bottom line: Payroll diversion fraud is growing, but simple vigilance—plus a few technical controls—can make a big impact. Protect your pay and keep your team informed!
Watch Your Payroll: How to Spot and Prevent Payroll Diversion Fraud
By Eddy Team — September 15, 2025
Imagine logging in to find your paycheck missing—not because you didn’t work, but because a cybercriminal intercepted it first. Payroll diversion fraud is on the rise, costing U.S. workers and companies millions annually, as reported by the FBI’s IC3. Here’s what you need to know to stay protected.
What Is Payroll Diversion Fraud?
Payroll diversion fraud is a cybercrime where hackers reroute an employee’s direct deposit paycheck into an account they control. It usually takes place entirely online and, if undetected, means an employee’s pay simply doesn’t show up on payday.
The Federal Bureau of Investigation (FBI) released an article on building a digital defense against phishing scams targeting electronically deposited paychecks.
How Do Criminals Commit Payroll Diversion?
According to the FBI and the Department of Homeland Security, criminals use a strategy known as Business Email Compromise (BEC) to launch payroll diversion attacks. Here’s a step-by-step look at how it works:
- Phishing for Credentials: Hackers send convincing phishing emails to employees, tricking them into entering their payroll portal login information on a fake website.
- Account Takeover: With stolen credentials, the criminal logs into the real payroll system.
- Changing the Direct Deposit: The criminal quickly replaces the employee’s legitimate bank account information with an account or prepaid card they control.
- Suppressing Notification: Often, the hacker modifies email rules to delete alerts, so the victim doesn’t get notified their payroll details have changed.
- Payday Theft: On the next payday, the victim’s wages are diverted to the criminal’s account—sometimes unnoticed until the pay is missed.
The FBI states that these attacks are fast-growing and affect every sector—from education and healthcare to small businesses and government agencies. Reported losses totaled at least $8.3 million in just 18 months, though the real number is likely much higher due to underreporting. The complaint center saw an 815% increase in payroll diversion incidents in just a year and a half.
How Can Employers & Employees Prevent Payroll Diversion?
For Employers
- Employee Training: Teach employees how to spot phishing emails and warning signs. Simulated phishing tests can help keep everyone sharp.
- Out-of-Band Verification: Require changes to payroll or bank information to be verified in person or by phone—not by email alone.
- Two-Factor Authentication (2FA): Make sure your HRIS and payroll portal require 2FA so that a password alone isn’t enough to get in.
- Monitor Payroll Changes: Set up alerts for any changes to direct deposit details and review them quickly.
- Restrict Access: Only allow payroll access to those who need it, and review permissions regularly.
For Employees
- Verify Requests: If you get an email—no matter how “official” it looks—wanting you to update bank details or login to a portal, call HR or your payroll provider at a trusted number to verify.
- Use Strong, Unique Passwords: Don’t reuse passwords across systems.
- Two-Factor Authentication (2FA): Protect your email account with 2FA so hacker's can't use your email account to reset the password of your other accounts
- Don’t Click Suspicious Links: If something feels wrong with an email claiming to be from HR or payroll, don’t click. Go directly to your company’s website or ask in person.
- Report Suspicious Activity: If you suspect something odd—or if your paycheck is missing—notify your HR department and payroll provider right away.
Who Is Liable for Missing Payroll Funds in the Event of Fraud?
When payroll funds are stolen through diversion fraud, the legal responsibility for making sure employees receive their earned wages falls squarely on the employer. Employment laws require that businesses pay employees what they are owed, regardless of whether payroll was misdirected by cybercriminals. This means that if a paycheck is diverted into a fraudster’s account, the employer must still ensure the employee receives their full payment—promptly and in full.
Payroll and HR service providers, along with banks, generally serve as facilitators and rarely bear direct responsibility for reimbursing employees, unless the loss resulted from their own negligence. Most payroll provider agreements state clearly that the employer retains the obligation to pay wages, even if fraud occurs during payment processing. Even if an employee fell victim to a phishing scheme—enabling the fraud—the employer cannot withhold wages or deduct losses from an employee’s future pay.
After paying the affected employee, employers can attempt to recover stolen funds through the bank, the payroll provider (if their error contributed), or insurance. However, they cannot delay or avoid payment to the employee during this process. Failing to promptly pay employees—regardless of the theft—can expose the employer to penalties, regulatory action, or even lawsuits in many jurisdictions. This clear liability is why it’s so important for organizations to implement strong payroll security practices and have a response plan if diversion fraud occurs.
What to Do if You’re a Victim
If your paycheck goes missing or you discover unauthorized changes to your payroll info:
- Act Immediately: Contact your payroll provider and bank. They may be able to reverse the transaction. Criminals often use accounts tied to gift cards, so the while the transaction reverse can be requested, unfortunately the money is already gone.
- Report to the FBI IC3: File a complaint at www.ic3.gov. The FBI tracks fraud trends and may be able to assist.
- Protect Your Accounts: Change your passwords and set up 2FA to protect your account from future attacks.
How Eddy helps
Eddy protects your business and employees from payroll diversion fraud by layering robust security features throughout the payroll process. Every user must sign in with two-factor authentication (2FA), effectively blocking most account takeover attempts—even if someone’s password is compromised.
When an employee’s direct deposit details are updated, the change is immediately flagged and requires explicit approval from an administrator before payroll can proceed, ensuring no unauthorized updates slip through. Eddy also uses role-based access controls (RBAC) to ensure only the right personnel have access to sensitive payroll data, and automatic session timeouts help prevent risks from unattended logins.
Every payroll and HR change is comprehensively logged with user and timestamp details, so you always have a clear audit trail of who made which changes and when. With SOC 2 compliance and real-time alerts sent to HR and payroll admins about critical changes, Eddy ensures your payroll is secure and aligned with industry best practices—effectively protecting your team from payroll diversion fraud at every step.
Resources
- FBI Payroll Diversion Scam Alerts: The FBI offers up-to-date warnings and prevention tips on its website.
- IC3 (Internet Crime Complaint Center): National reporting hub for cybercrime—essential if you suspect payroll fraud.
More information can also be found from payroll providers, HR associations, and cybersecurity agencies.
Bottom line: Payroll diversion fraud is growing, but simple vigilance—plus a few technical controls—can make a big impact. Protect your pay and keep your team informed!
Eddy's HR Newsletter
Sign up for our email newsletter for helpful HR advice and ideas.
