High riskBank & Payment Scams

Payroll Direct Deposit Scam

In this scam, a fraudster emails an employer's HR or payroll team while pretending to be an employee and asks to update their direct-deposit bank details, diverting the next paycheck to the scammer's account.

Quick verdict

Risk level

High risk

Scam type

Business email compromise scam

Main red flag

An email request to change an employee's bank or direct-deposit details, often marked urgent.

What to do first

Verify any banking change by phoning the employee on a known number, not by replying to the email.

What this scam usually looks like

Example message pattern

Example pattern — not a real report

Example pattern: 'Hi, I've recently switched banks. Please update my direct deposit to the new account below before the next payroll run. Thanks, [employee name]'

This is a fictional, anonymised example used to illustrate the pattern. It is not a verified real message, and any names are used only to show how the scam typically reads.

Red flags to watch for

An email asking to change direct-deposit or bank details, especially close to payday
A reply address that is slightly different from the employee's real work email
Pressure to update the details quickly or before the next pay run
Reluctance to confirm the request by phone or in person
A new account at a different bank with no other supporting paperwork

What to do

Confirm any bank-detail change by contacting the employee directly on a trusted number
Use a verification step for payroll changes, separate from the original email
Treat urgent banking-change emails as a common business email compromise pattern
Report suspected fraud to your bank, IT or security team, and national fraud body

If you already clicked or replied

If a payment has gone out, contact your bank immediately to try to recall it
Alert your payroll, IT, and security teams so other staff can be warned
Check whether the email account was accessed or spoofed and reset passwords if needed
Keep the email and any payment records for your investigation and report

What not to do

Do not change banking details based on an email alone
Do not reply to the suspicious email to 'confirm' the request
Do not skip your normal verification steps because the request seems urgent

Similar scams

Medium risk Email

Fake Invoice Email Scam

This scam emails an invoice or receipt for something you did not buy, hoping you call a fake 'support' number or click a link to dispute it.

High risk Marketplace

Fake Escrow Scam

In a high-value marketplace deal, the other party insists on a specific 'escrow' or 'secure payment' website to hold the funds, but the site is fake and simply collects your money or card details.

High risk Email

Microsoft Account Email Scam

This scam sends a fake Microsoft or Outlook email about an unusual sign-in or an account about to be closed, linking to a fake Microsoft login page that captures your email and password.

Frequently asked questions

How does the scammer know employee names and the payroll process?

They often gather names from company websites or social media, or from a compromised email account. This lets the request look convincing even though it is fake.

Why are these emails usually timed near payday?

Timing the change just before a pay run gives staff less time to verify and increases the chance the next paycheck is diverted before anyone notices.

How can payroll teams prevent this?

Always verify bank-detail changes through a separate, trusted channel such as a phone call to a known number, and require a second person to approve changes.

A paycheck was already diverted. What now?

Contact your bank straight away to attempt a recall, inform the affected employee, and report the incident to your IT or security team and national fraud body.

Last reviewed: June 2026

Disclaimer: This page provides educational information only to help you recognise common scam patterns. It is not legal, financial, cybersecurity, or law enforcement advice, and it does not confirm whether any specific message, company, or person is genuine or fraudulent. When in doubt, contact the official organisation directly and report concerns to your local authorities.