HR Departments Targeted with Payroll Diversion Scams

Is your HR department trained to combat cyber-crime?

A wide-spread fraud scheme has been making a comeback in recent months and it's specifically targeting the department responsible for making sure employees are paid on-time, every time. The IRS warns that direct deposit and wire transfer scams are becoming more prolific and are bypassing even the most sophisticated technical controls. Companies and employees are being scammed out of thousands of dollars through a few simple targeted e-mails. 

How does payroll fraud work? 

Most companies use direct deposit to ensure employees are paid through a consistent, automated process that is set up when employees join the company. Unless changes are requested, payroll is continually deposited into their accounts.  Hackers are trying to exploit this system by digging up information on the HR department and sending targeted messages to HR personnel posing as high level executives or employees who need assistance updating their information. 

The messages typically use some sort of urgent wording and discourage the HR personnel from calling to follow-up on the request. Scammers have caught on to avoiding e-mail filters and are careful to ensure there are few misspellings or grammatical errors that would send them to spam. 


The emails use spoofed addresses that don't require any hacking or technical skill on the scammer's part. They simply sign up for a fake email address using free services such as Gmail or Yahoo, using a known employee's name as the account holder. This makes the scam even harder to spot since HR personnel may not notice the full e-mail address and just recognize a familiar display name. Once the direct deposit details have been updated, the next paycheck funnels straight into an account set up by the scammer and continues until the employee notices paychecks haven't been deposited. 

Fighting Fraud with Education

Involving HR personnel in engaging, role-based security awareness training & educational programs is the most proven method to avoid falling for scams like this that are almost impossible to stop with technical security tools. Continual education and strict processes to require a follow-up phone call can foil even the most sophisticated social engineering attacks in many instances. Requiring all requests to come from verified company e-mail accounts can assist as well. 

Reporting Cyber-crime & Fraud

Avoidance, education, and reporting are all key to stopping cyber crime in its tracks. If you've been a victim of an internet scam or hacking, it's important to file a complaint with the FBI's Internet Crime Complaint Center (IC3).

If you would like to launch a security awareness program at your company that does not require more manpower or cut into work time, look into the Phishgoggles Security Awareness Service. It is the only fully-managed, year-round phishing, training and performance-based educational service to elevate cybersecurity awareness and alertness.

No single service or technology can cover all of the potential entry points for ransomware, malware and other malicious viruses, so Summit has bundled services that range from "if-you-do-nothing-else-you-better-have-these-basic-protections" to a comprehensive multi-layer package that seeks to stop hackers at every point in your IT systems they can enter. Consult Summit for an IT security consultation to see which products are right for your organization.

The Summit Layered IT Security Model:

  • IT Security Assessments & Consulting
  • Single Sign-on & Multi-factor Authentication
  • Deep Packet Inspection of Secure Socket Layer
  • Advanced Threat Protection
  • Web Filtering
  • Security Awareness Service
  • Encryption
  • IT Policies & Procedures
  • Advanced Security Monitoring & Analysis (24/7 SOC SEIM)
  • Penetration Testing
  • Vulnerability Scanning 

Learn more


Lee Snead

Lee Snead is Summit's Content Marketing Specialist, and brings cyber-security awareness and training expertise from his days as a security awareness program lead for a Fortune 500 company. Lee focuses on quality content creation, photography, videography, and impactful communications that turn complex IT topics into easily consumable ideas. When he's not writing or filming, he's out on the water. Surfing, kayaking, and SUPing are this St. Louis native's forte.

Related Posts


Sign up for Our Blogs

Latest blogs