How Payroll Scams Happen (and How to Prevent Them)

If you work with a payroll provider for your small business, payroll typically runs on a set schedule with very little day-to-day involvement from you. Paychecks are deposited on time, and employees get paid without issues.

That consistency is also what scammers look for. They aren’t attacking payroll software directly. They focus on the communication and access points around payroll because those are the places where people trust what they see and respond quickly.

I’ve been seeing more of these attempts across small businesses lately, and the patterns are clear. In this article, I’ll walk through what these scams look like, how they work, and the steps that help prevent them before money goes missing.

What Payroll Fraud Looks Like Today

The scams we see today do not usually begin with someone hacking payroll software. They begin with access, most often through email.

Here is the pattern behind nearly every case:

1. A scammer gains access to an employee’s email account or creates a convincing imitation.
2. They request a direct deposit change or log into the payroll self-service portal.
3. They reroute pay to a fintech bank account that allows fast withdrawal.
4. The money is withdrawn before anyone realizes something is wrong.

So prevention focuses on:

• How direct deposit changes are requested
• How account access is protected
• When and how verification happens

The goal is to ensure employee pay goes where it is supposed to go, every time.

Payroll Scam #1: The Email Impersonation Scam

This scam starts with what looks like a normal request:

“Can you update my direct deposit before payroll runs?”

The name and sign-off look familiar. But the email address itself is slightly different. It only takes a quick glance at the sender's name to miss it.

If the change is processed without verification, the paycheck is rerouted to the scammer. Once the funds move, they are difficult to recover.

How to prevent it

• Have employees update direct deposit through secure self-service
• If someone says they cannot, call them directly before making a change
• Always check the actual sender address, not just the display name

A 15–20 second phone call prevents nearly every case of this scam.

Payroll Scam #2: The “99 Percent” Account Takeover

This version is harder to detect because the employee still receives a deposit, just much smaller.

Scammers reroute 99 percent of the paycheck to their account and leave 1 percent going to the employee’s bank. The employee sees a deposit and assumes everything is fine. Payroll shows processing completed. Meanwhile, almost the entire check has been diverted.

This nearly always happens when multi-factor authentication sends codes to email. If someone has your email, they have your authentication code too.

How to prevent it

• Use text message MFA or an authenticator app
• Avoid using email for payroll authentication when possible

Use this workflow anytime a change request comes in:

Step 1: Check the sender address.
Does it match the employee’s actual email exactly?

Step 2: Read the language.
Scammers often use terms like “ACH details,” “effective date,” or “urgent processing.” Most employees do not use this language.

Step 3: Look at timing.
Requests outside typical working hours deserve verification.

Step 4: Call the employee.
Use the phone number already in your records.

Step 5: Update direct deposit only through self-service.
If the employee needs help logging in, walk them through it. Never accept routing and account numbers over email.

This simple process stops nearly every payroll rerouting attempt.

Why Scammers Use Fintech Bank Accounts for Payroll Fraud

In most cases, redirected pay is sent to a fintech account such as Chime, SoFi, or Green Dot. These accounts are not the issue. The issue is how quickly funds can move through them.

Fintech accounts are used because they:

• Are easy to open
• Often release deposits early
• Allow fast withdrawals

That timing gives scammers a window to move money before the issue is noticed.

How to Verify a Direct Deposit Change Request

Use this workflow anytime a change request comes in:

Step 1: Check the sender address.
Does it match the employee’s actual email exactly?

Step 2: Read the language.
Scammers often use terms like “ACH details,” “effective date,” or “urgent processing.” Most employees do not use this language.

Step 3: Look at timing.
Requests outside typical working hours deserve verification.

Step 4: Call the employee.
Use the phone number already in your records.

Step 5: Update direct deposit only through self-service.
If the employee needs help logging in, walk them through it. Never accept routing and account numbers over email.

This simple process stops nearly every payroll rerouting attempt.

How Employee Self-Service (ESS) Improves Payroll Security 

Employee self-service (ESS) portals, when used correctly, are one of the safest ways for team members to update their personal and banking information. Instead of sending account details by email, employees log in securely, verify their identity, and make changes themselves.

For business owners, ESS tools add a layer of protection by keeping sensitive data inside the payroll system and out of inboxes where scammers operate.

If you want a closer look at how ESS works and why it matters, read our article about how employee self-service reduces payroll risk and saves time.

How YPD Monitors Security Behind the Scenes

At YPD, we continuously monitor for:

• Routing numbers linked to high-fraud fintech banks
• New device or location sign-in attempts
• Direct deposit changes that do not match typical patterns

If something looks off, we pause and confirm before processing the change.

That small pause protects the entire operation.

Preventing payroll fraud starts with awareness and the right systems.
At YPD, we help small businesses run payroll accurately, on time, and with safeguards that reduce risk, so your team gets paid securely, every time.

If you’re rethinking how payroll is handled in your business, explore how to choose the right payroll setup for your business.

Your Payroll Department (YPD) is part of the Kaizen CPAs family. Together, we deliver accounting, advisory, tax planning, and payroll services, helping businesses save on taxes, stay compliant, and free up time to focus on growth.