How Hackers Access Direct Deposit Paycheck — And What to Do About It

Pierluigi Paganini May 24, 2019

Getting your paycheck deposited directly into your bank account seems like a handy solution but in some cases. hackers can access them.

Getting your paycheck deposited directly into your bank account seems like a handy solution because you don’t have to pick up the check from your workplace and take it to the bank to deposit it. It works well in many cases but is not immune to hackers.

Hackers Do a Payroll Diversion Through Phishing

A direct deposit paycheck hack involves getting the necessary details from the victim through a phishing scheme. According to a statement about from the FBI’s Internet Crime Complaint Center (IC3), cybercriminals orchestrate the phishing attempt — which the FBI calls a “payroll diversion” — to get the details for a person’s online payroll account.

Once successful, the hacker changes the account details for the direct deposit payments to an account they control. The FBI notes that the hacker’s account often connects to a prepaid credit card instead of a traditional bank account. Moreover, the cybercriminal applies a rule so that the rightful direct deposit recipient does not get a notification about the account change.

An Increasingly Attempted Hack

This method hackers use likely won’t come as a surprise when you consider a few recent statistics about phishing. When PhishLabs published findings from its most recent report, it revealed that phishing attacks in 2018 went up by 40.9%. Plus, in 83.9% of cases, hackers aimed to get user credentials for various services, including payment-related ones.

And, the PhishLabs report showed 98% of the phishing emails that made it past enterprise-level email security controls did not contain malware. A different phishing study from Barracuda explained why hackers don’t need malware to cause damage. Instead, they use social engineering to pose as a person or company that the victim knows and responds to without question.

Those efforts fall into the business email compromise (BEC) category. Barracuda’s study examined 3,000 such attacks. It found that 60% percent did not contain links. But, they often had personalized information such as the victim’s name or a question related to the person’s work.

Even worse, hackers tweaked the email addresses to make them appear as being from legitimate people in the company. Typically, the hackers set up accounts with free email services and create accounts containing a real employee’s name. That’s enough genuine information for the recipients to act without looking at the rest of the email address too closely.

Trustwave covered BEC payroll hacks in a blog post and mentioned that cybercriminals often make the phishing emails seem to originate from a company’s CEO and go to a human resources or accounting manager, or someone else with the ability to alter an employee’s direct deposit account information. The hackers also perform research to determine which parties have the authority to make such changes before sending the emails.

Payroll Companies and Employers Can Commit Fraud Too

Most of the content here focuses on cybercriminals going through the process to steal direct deposit details. But, that’s not the only kind of payroll fraud that could happen. Unfortunately, some payroll companies that enterprises work with have bad actors in them that figure out various ways to keep workers from their money. Or, the employers themselves give false information about the number of employees on the payroll.

One incident committed by a payroll company in Australia resulted in the equivalent of a $122.5 million USD tax fraud. That incident is a strong reminder that whether companies have employees only in the U.S. or working elsewhere in the world, it’s crucial to do business with a trustworthy vendor who knows the global business realm. Choosing a United States-headquartered company is also smart due to the security and protection that U.S. jurisdiction offers.

How to Stay Safe From Payroll Diversion Fraud

Statistics from 2016 indicate 82% of Americans receive their paychecks via direct deposit. So, it’s not surprising that hackers try this paycheck diversion tactic. Knowing the information here, what can you do to stay safe and increase the chances of having access to your money as expected?

Firstly, if you are in a position of authority and get a request from someone asking for a direct deposit account change, don’t respond to the email in an act of blind trust. If possible, contact that person through another method, such as by phone or approaching them in person to verify that they truly sent the message. Do the same if someone from payroll emails you asking for your direct deposit details to “update their records.”

Another thing you can do is check the structure of the email. As mentioned earlier, the emails used for this kind of BEC trick normally have at least one component that’s not quite right. For example, it may have a person’s name but come from a free email service instead of the company domain.

It’s also ideal at a company level if employees get educated about how to recognize this kind of fraud and get information about the steps they should go through if they receive suspicious emails of any kind. For example, they could forward any strange emails about payroll details or otherwise to the IT department for further review.

Think Before You Act

Getting paid on time is a top concern for most people. But, even if you get an email that insists you need to provide the requested details to avoid payment delays, it’s best to investigate further before responding.

If you appreciate my effort in spreading cybersecurity awareness, please vote for Security Affairs in the section “Your Vote for the Best EU Security Tweeter”

Thank you

About the author

about paycheck

Kayla Matthews is a technology and cybersecurity writer, and the owner of To learn more about Kayla and her re

[adrotate banner=”9″][adrotate banner=”12″]

Pierluigi Paganini

(Security Affairs – Paycheck, cybercrime)

[adrotate banner=”5″]

[adrotate banner=”13″]

you might also like

leave a comment