Securing Our Communities: Payroll Diversion Scams

Each week, the NTIC Cyber Center highlights a different social engineering scam impacting individuals and communities within the National Capital Region. We encourage everyone to share this information with friends, colleagues, and loved ones to help reduce their risk of becoming a victim of financial fraud and identity theft.


Payroll diversion scams, also known as direct deposit diversions, are social engineering scams in which perpetrators send deceptive emails to human resources or finance departments to divert direct deposit payments to a bank account they control. These emails, which may be brief, polite, and urgent-sounding, impersonate targeted employees at the company and contain immediate requests to change bank account information used for an employee’s direct deposit payments. To lend a sense of urgency or authority to their message, scammers may pretend to be an organization’s Chief Financial Officer (CFO) or Chief Executive Officer (CEO) requesting a change in payroll details. Scammers impersonating an employee may also claim that they are just about to leave the office, perhaps to attend a meeting, in order to discourage company officials from verifying the request with the affected employee. Payroll diversion scams are a type of business email compromise (BEC) scam, where threat actors use a variety of methods to trick an organization’s employees into relinquishing corporate funds.


Though payroll diversion scams are not new, an organization’s email security settings may not properly filter these malicious emails because the messages only contain a request to change a bank account number. Traditional spam filters often fail to detect these types of emails unless they contain malicious links, malware-laden attachments, or certain flagged words and phrases such as requests for money or wire transfer offers. Scammers can conduct a payroll diversion scam without using a compromised email account; rather scammers can simply mimic email addresses that appear similar to a target organization’s email structure. Successful payroll diversion scams result in serious financial losses for those impacted by this crime.


The NTIC Cyber Center provides the following tips to help our readers recognize and protect themselves and their organizations from payroll diversion scams:

  • Beware of payroll-related requests that contain incorrect grammar or short, urgent demands.

  • If you receive an email that requests a change in payroll procedures for your organization or for a specific employee, be sure to scrutinize the sender’s email address. Since scammers can make spoofed emails look surprisingly legitimate, employees should be on the lookout for common misspellings and character substitutions in email addresses as well as emails originating from free email services such as Yahoo or Gmail.

  • Always verify payroll-related changes with the original requestor via another means of communication, such as a phone call or in-person visit.

  • If scammers successfully steal money through a payroll diversion scheme, contact the employee’s bank immediately and work with them to recover the funds.


Report all payroll diversion scam attempts to your local police department and to the FBI Internet Complaint Center (IC3).

The NTIC is governed by a privacy, civil rights, and civil liberties protection policy to promote conduct that complies with applicable federal, state, and local laws. The NTIC does not seek or retain any information about individuals or organizations solely on the basis of their religious, political or social views or activities; their participation in a particular noncriminal organization or lawful event; or their race, ethnicities, citizenships, places of origin, ages, disabilities, genders, or sexual orientations. No information is gathered or collected by the NTIC in violation of federal or state laws or regulations.