High riskSmall Business & Workplace Scams

Payroll Diversion Scam

In this scam, fraudsters pose as an employee emailing HR or payroll to change their bank details, diverting the next salary payment to an account they control before the real worker notices.

Quick verdict

Risk level
High risk
Scam type
Business email compromise (payroll)
Main red flag
An emailed request to change an employee's payroll bank details.
What to do first
Verify the change in person or by a known number, never by reply alone.

What this scam usually looks like

In this scam, fraudsters pose as an employee emailing HR or payroll to change their bank details, diverting the next salary payment to an account they control before the real worker notices.

Example message pattern

Example pattern — not a real report
Example pattern: 'Hi, I've switched banks. Please update my account details for this month's payroll. New account number and sort code below.'

This is a fictional, anonymised example used to illustrate the pattern. It is not a verified real message, and any names are used only to show how the scam typically reads.

Red flags to watch for

  • An email asking to change payroll bank details
  • A request that skips your normal change process
  • Slight differences in the sender's email address
  • Pressure to update before the next pay run
  • Reluctance to verify by phone or in person

What to do

  • Verify any bank change in person or via a known number
  • Use a strict, documented process for payroll changes
  • Confirm with the employee through a trusted channel
  • Train staff to spot impersonation emails

If you already clicked or replied

  • Contact your bank immediately to try to recall the payment
  • Alert the real employee and reset the correct details
  • Report it as business email compromise
  • Review email security and change processes

What not to do

  • Do not change payroll details from an email alone
  • Do not skip verification under time pressure
  • Do not reply to the email to confirm the change

Similar scams

High risk Bank & Payment

Invoice Redirection Scam

In this scam, fraudsters posing as a supplier or contractor email that their bank details have changed, so your next invoice payment is diverted to the scammer's account instead of the genuine business.
High risk Email

CEO Fraud Scam

CEO fraud, a form of business email compromise, involves a scammer pretending to be a senior leader and pressuring an employee to move money or buy gift cards quickly and quietly. The email often mimics the executive's name and writing style, claims they are busy or travelling, and stresses secrecy. Because it exploits authority and urgency, even careful staff can be caught out. Slowing down and verifying any unusual payment request through a known channel is the most reliable defence.
High risk Business

Fake Purchase Order Scam

In this scam, fraudsters impersonate a university, large company, or government body, sending a convincing purchase order to obtain goods on credit, then redirect or collect the goods and never pay.

Frequently asked questions

How do I prevent payroll diversion?
Verify every bank-detail change in person or via a known number, use a documented change process, and never rely on email alone to confirm.
The email looked like a real employee. How?
Fraudsters spoof or closely mimic staff addresses. Always confirm changes through a trusted channel rather than trusting the sender name.
We already paid the wrong account. What now?
Contact your bank immediately to attempt recall, alert the real employee, reset the correct details, and report it as business email compromise.
Who do scammers target with this?
HR and payroll staff who can change bank details, especially near pay-run deadlines when there is pressure to act quickly.

Last reviewed: June 2026

Disclaimer: This page provides educational information only to help you recognise common scam patterns. It is not legal, financial, cybersecurity, or law enforcement advice, and it does not confirm whether any specific message, company, or person is genuine or fraudulent. When in doubt, contact the official organisation directly and report concerns to your local authorities.