New Scams Target Employees' Payroll Direct Deposits

Author: Robert S. Teachout, XpertHR Legal Editor

February 12, 2018

The FBI is warning employers of new email phishing scams targeting employees to gain access to their direct deposit information on the company's self-service payroll platform. Many employers use direct deposit for payroll because it is generally a more secure, efficient and inexpensive method than paying employees in cash or with paper paychecks. In January, the IRS warned about Form W-2 scams aimed at HR and payroll departments.

In one version of the scam, a person pretending to be from the company's HR department sends an email asking an employee to click on a provided link and log into his or her self-service account. The alleged reason for the log-on request is for the employee to view a confidential email from HR, view changes to the employee's account or confirm that the account should not be deleted.

When an employee clicks on the provided link and enters the self-service credentials, the employee actually is giving the information to the fraudster, who can then access the account to view the employee's W-2 and pay stub information. The fraudster also can change the employee's direct deposit instructions, as well as the e-mail address used for change notifications to prevent the victim from finding out that changes were made.

In another version of the sting, an employee receives an email from what appears to be a trusted company service or resource. The email requests that the employee provide an e-signature or complete a survey by clicking a link or accessing a website. Then the employee is instructed to "confirm" his or her identity by providing complete log-in credentials. Again, once the fraudsters have the employee's payroll portal credentials, the employee's direct deposits are rerouted to a different account.

The scammers also can take the opportunity to change the employee's password and other credentials, making it more difficult for the fraud to be discovered and corrected. Employers don't learn of the problem until they begin hearing from employees that their wages are not being deposited, when the damage has already been done.

The FBI advises employers to follow these tips to avoid these scams:

  • Train employees to watch for phishing attacks and suspicious malware links. Checking the actual e-mail address rather than just looking at the display name can be crucial to spotting the attack early.
  • HR self-service platforms should have two-factor authentication. For example, users can be required to enter a second password that is e-mailed to them or a hard token code.
  • Set up alerts on self-service platforms for administrators so that unusual activity may be caught before money is lost. Alerts may include for when banking information is changed to online bank accounts typically used by fraudsters.
  • Set a time delay between when direct deposit information is changed in the self-service portal and the actual deposit of funds into the new account to decrease the chance of the theft of funds.