top of page

FBI Releases Payroll Scam Protection Guidelines


The Federal Bureau of Investigation (FBI) has released a document describing the measures companies and their employees can take to avoid being the victims of payroll phishing scams.

Phishing attacks are used by crooks to target random victims on the Internet with malware or specific targets of high interest such as financial department employees with access to money transfer operations.

This type of security attack can be performed by bad actors either via e-mail messages containing malicious links or attachments or via maliciously crafted websites designed to pose as a trusted entity and to ask for sensitive information.

The payroll phishing scams described in FBI’s “Building a Digital Defense Against Payroll Phishing Scams” article are targeting a company’s direct deposit transactions, stealing funds by replacing the direct deposit banking account of a trusted partner with ones controlled by the attacker.

Moreover, payroll phishing scams can also target a business’ employees directly by changing their direct deposit information to allow the crooks to receive the paycheck instead.

The measures outlined by the FBI in their advisory should help employees and companies to better defend themselves against payroll phishing scams

Such attacks begin with stolen credentials after employees fall victim to a phishing attack and, as the FBI says, “The bad guys use that login ID and password to change the employee’s direct deposit information in the company’s files.”

Moreover, “Often, the fraudsters even change other account settings in the system, preventing the victim from receiving an email warning that changes have been made to his account.”

The FBI advises employees to always check if e-mails that look suspicious are valid by asking for confirmation from the company’s HR or IT department, to avoid clicking links or opening attachments if e-mails have grammar or phrasing errors, as well as always check the URLs they click in e-mails are directing them to the payroll company’s website.

Businesses can also take a number of measures to make sure their employees are protected against payroll phishing scams.

Thus, companies can require all employees to use two-factor authentication wherever possible, to demand for different credentials on all company systems to avoid password re-use, to watch out for any banking changes in employee accounts, and to provide employees with training to be able to recognize phishing scams.


bottom of page