Payment diversion fraud

Payment diversion fraud is exactly what it sounds like. Typically, a link is emailed to an employee. The link often appears to be to their employer’s self-service login page but is in fact to a spoof website set up by the fraudster. The spoof records the employee’s username and password, and the fraudster uses this information to divert the employee’s salary payments into their own bank account. 

These emails often use overly formal language and incentivise the employee to click the link, often with the ‘notification’ of a generous pay increase or an issue with their pay.

For example:

In accordance with the Fiscal Year 2022 Salary Allocation Guidelines (SAG) kindly be informed that your monthly salary starting April 2022 will reflect a 12.36 percent salary increase. Your new salary is analysed herewith. All documents are enclosed hereunder: view documents here

Your monthly salary starting from April 2022 will be raised by 13.84%. Enclosed is your salary increase letter. Download and keep a copy for your records. **when prompted, your date of birth on records must be authenticated**. View letter here.

Finance have noticed some irregularities on your payslip and P60 form which may impact your January salary. Report is as attached. Kindly download and update accordingly as highlighted. **this is a secure document, hence authentication will be required**.

Actions to take

  • Educate your teams about the way you communicate salary increases and payroll issues, so that they are on the alert for such scam emails. It is very unlikely – or should be – that the first someone hears that they’ll be receiving a large pay rise is from an unsigned, impersonal email. Use Multi-Factor Authentication (MFA) on self-service sites to strengthen access security by requiring more than one method to verify identity beyond the username and password.
  • Enable notification of change of bank account details to ensure affected staff are aware of any changes and can report concerns at the earliest opportunity. Additionally, when it comes to approvals, ensure appropriate access rights and division of duties.
  • Run payroll reports to identify requests for bank detail changes. Double-check with the member of staff requesting the change. Check contact details and, if those have also been changed, use alternative sources of recorded contact details (email is not recommended).
  • Run IT security reports, if this facility is available, to review how email security features are being applied to protect your organisation and identify email spam and compromised users. There should also be anti-spoofing controls in place and filters/blocks on suspicious emails.
  • Review email accounts to check that all ‘rules’ applied are legitimate. Some fraudsters have used employee email addresses to contact payroll directly and ask for changes to bank details. Through compromised email accounts, fraudsters have also set up ‘rules’ to divert certain emails – eg those containing the phrase ‘bank account’ – to accounts they control. The fraudster can then impersonate the employee to respond to verification emails from payroll and confirm changes to payment details.

If you would like to know more on how you can protect your organisation and individuals against payment diversion fraud, please contact:

Paul O'Leary Paul O'Leary


Andrea Deegan Andrea Deegan


Erin Sims Erin Sims

Associate Director

Related articles

Cyber security first line of defence

Cyber security – first line of defence 

Employees are the first line of defence against cybercrime. With the right training and guidance, your staff can help prevent cyber attacks against your organisation.

Read on for quick tips on what staff need to do when faced with suspicious activity.

Suspicious emails

Suspicious emails

Fraudsters may pose as legitimate businesses and send phishing links to compromise your organisation's security with malware to hack into email accounts to intercept communications.

Read on to see what your organisation could do to prevent failing victim to phishing and email scams.

Being ‘scam savvy’ in the cyber world

Being ‘scam savvy’ in the cyber world

With an interconnected world and an enormous reliance on technology, the threats of cybercrime are significant. In this series we will explore what you can do to equip yourselves and your organisation against cyber threats.

Read our cyber scam savvy series.