'%3e%3cpath%20d='M0,0%20v30%20h60%20v-30%20z'%20fill='%23012169'/%3e%3cpath%20d='M0,0%20L60,30%20M60,0%20L0,30'%20stroke='%23fff'%20stroke-width='6'/%3e%3cpath%20d='M0,0%20L60,30%20M60,0%20L0,30'%20stroke='%23C8102E'%20stroke-width='4'%20clip-path='url(%23s)'/%3e%3cpath%20d='M30,0%20v30%20M0,15%20h60'%20stroke='%23fff'%20stroke-width='10'/%3e%3cpath%20d='M30,0%20v30%20M0,15%20h60'%20stroke='%23C8102E'%20stroke-width='6'/%3e%3c/g%3e%3c/svg%3e)
UK
%20--%3e%3cuse%20href='%23s'%20x='0'%20y='0'/%3e%3cuse%20href='%23s'%20x='494'%20y='0'/%3e%3cuse%20href='%23s'%20x='988'%20y='0'/%3e%3cuse%20href='%23s'%20x='1482'%20y='0'/%3e%3cuse%20href='%23s'%20x='1976'%20y='0'/%3e%3cuse%20href='%23s'%20x='2470'%20y='0'/%3e%3cuse%20href='%23s'%20x='247'%20y='210'/%3e%3cuse%20href='%23s'%20x='741'%20y='210'/%3e%3cuse%20href='%23s'%20x='1235'%20y='210'/%3e%3cuse%20href='%23s'%20x='1729'%20y='210'/%3e%3cuse%20href='%23s'%20x='2223'%20y='210'/%3e%3cuse%20href='%23s'%20x='2717'%20y='210'/%3e%3cuse%20href='%23s'%20x='0'%20y='420'/%3e%3cuse%20href='%23s'%20x='494'%20y='420'/%3e%3cuse%20href='%23s'%20x='988'%20y='420'/%3e%3cuse%20href='%23s'%20x='1482'%20y='420'/%3e%3cuse%20href='%23s'%20x='1976'%20y='420'/%3e%3cuse%20href='%23s'%20x='2470'%20y='420'/%3e%3cuse%20href='%23s'%20x='247'%20y='630'/%3e%3cuse%20href='%23s'%20x='741'%20y='630'/%3e%3cuse%20href='%23s'%20x='1235'%20y='630'/%3e%3cuse%20href='%23s'%20x='1729'%20y='630'/%3e%3cuse%20href='%23s'%20x='2223'%20y='630'/%3e%3cuse%20href='%23s'%20x='2717'%20y='630'/%3e%3cuse%20href='%23s'%20x='0'%20y='840'/%3e%3cuse%20href='%23s'%20x='494'%20y='840'/%3e%3cuse%20href='%23s'%20x='988'%20y='840'/%3e%3cuse%20href='%23s'%20x='1482'%20y='840'/%3e%3cuse%20href='%23s'%20x='1976'%20y='840'/%3e%3cuse%20href='%23s'%20x='2470'%20y='840'/%3e%3cuse%20href='%23s'%20x='247'%20y='1050'/%3e%3cuse%20href='%23s'%20x='741'%20y='1050'/%3e%3cuse%20href='%23s'%20x='1235'%20y='1050'/%3e%3cuse%20href='%23s'%20x='1729'%20y='1050'/%3e%3cuse%20href='%23s'%20x='2223'%20y='1050'/%3e%3cuse%20href='%23s'%20x='2717'%20y='1050'/%3e%3cuse%20href='%23s'%20x='0'%20y='1260'/%3e%3cuse%20href='%23s'%20x='494'%20y='1260'/%3e%3cuse%20href='%23s'%20x='988'%20y='1260'/%3e%3cuse%20href='%23s'%20x='1482'%20y='1260'/%3e%3cuse%20href='%23s'%20x='1976'%20y='1260'/%3e%3cuse%20href='%23s'%20x='2470'%20y='1260'/%3e%3cuse%20href='%23s'%20x='247'%20y='1470'/%3e%3cuse%20href='%23s'%20x='741'%20y='1470'/%3e%3cuse%20href='%23s'%20x='1235'%20y='1470'/%3e%3cuse%20href='%23s'%20x='1729'%20y='1470'/%3e%3cuse%20href='%23s'%20x='2223'%20y='1470'/%3e%3cuse%20href='%23s'%20x='2717'%20y='1470'/%3e%3cuse%20href='%23s'%20x='0'%20y='1680'/%3e%3cuse%20href='%23s'%20x='494'%20y='1680'/%3e%3cuse%20href='%23s'%20x='988'%20y='1680'/%3e%3cuse%20href='%23s'%20x='1482'%20y='1680'/%3e%3cuse%20href='%23s'%20x='1976'%20y='1680'/%3e%3cuse%20href='%23s'%20x='2470'%20y='1680'/%3e%3c/g%3e%3c/svg%3e)
USA
uk Work & employment crises suspicious payroll email • change payroll bank details • payroll bank details scam • payroll diversion attempt • fake hr payroll request • salary bank details change • bank account change email • urgent payroll update email • payroll phishing message • salary payment redirected • business email compromise • employee self service portal scam • payslip bank details mismatch • payroll details verification • update bank details link • unexpected payroll instruction • impersonation finance request • payroll account takeover What to do if…
What to do if…
you receive an email asking you to change payroll bank details and it feels suspicious
Short answer
Pause and verify the request using a trusted channel (not the email). Immediately tell payroll/HR and your IT/security team so they can block it and protect others.
Do not do these things
- Don’t click any links or open attachments in the message (even “HR forms” or “secure portal” links).
- Don’t reply to the email to “confirm” details or ask questions (that keeps you in the scammer’s channel).
- Don’t use any phone number, WhatsApp, or “helpdesk” link provided in the email.
- Don’t change bank details based only on an email request, even if it looks like it came from a senior person.
- Don’t forward it widely to colleagues (send only to the right internal team so it’s contained).
- If you already entered details, don’t “wait and see” until payday.
What to do now
- Stop and switch to a trusted route to verify.
Use a known-good method: the HR/payroll phone number from your intranet, employee handbook, or a previous payslip/letter (or your organisation’s official directory). Ask: “Did you request a bank detail change from me today?” - Check your payroll/self-service account (from a clean route).
Don’t use the email link. Open your payroll/HR portal the normal way (typed address or saved bookmark). Look for any recent changes to bank details, email/phone number, or password reset activity. - Ask payroll/HR to put a hold on bank-detail changes.
Ask payroll to freeze or require extra verification for any bank detail changes on your record until you confirm via a verified method (or in person, if that’s your workplace norm). If a payroll run is close, ask them to confirm which account your next pay is scheduled to go to. - Alert IT/security immediately.
Report the email via your organisation’s normal route (for example, a “report phishing” button or the service desk). Tell them if the message arrived to your work email and whether you clicked anything. - If you clicked or typed credentials, act as if your account is compromised.
- Change your work password from the real sign-in page (not via the email).
- Enable multi-factor authentication (MFA) if available, or ask IT to help.
- Tell IT exactly what you clicked and what you entered.
- If you think pay may be diverted, move fast with payroll and your bank.
Contact payroll immediately to confirm where payment is going. If money has gone to the wrong account (or might), contact your bank the same day and ask what they can do to stop or recall the payment, and what information they need. - Report the phishing message to the UK reporting service.
Forward the suspicious email to report@phishing.gov.uk. - If you’ve lost money or shared sensitive details, report it to the police reporting route for your nation.
- If you live in England, Wales, or Northern Ireland, report via Report Fraud (police) or by phone.
- If you live in Scotland, report to Police Scotland (101 for non-emergency).
What can wait
- You do not need to “prove” it’s a scam right now; you just need to avoid making changes and verify via trusted channels.
- You don’t need to confront the sender or investigate where it came from.
- You can deal later with longer clean-up (training, policies, new bank account) once you’ve confirmed payroll is safe.
Important reassurance
These “change your payroll bank details” emails are common because urgency makes people act fast. Feeling unsure is a protective signal. Pausing and verifying is the safest move and is exactly what security teams want you to do.
Scope note
This is first steps only: stabilise, prevent a payment diversion, and get the right teams involved. Any later decisions (formal reporting, broader identity protection) can wait until you’ve confirmed what happened.
Important note
This guide provides general information, not legal, financial, or security advice. Workplace processes vary; follow your organisation’s payroll/IT instructions where they exist. If money has been diverted or you think an account was accessed, treat it as urgent and escalate inside your organisation and to your bank promptly.
Additional Resources
- https://www.ncsc.gov.uk/collection/phishing-scams/report-scam-email
- https://www.gov.uk/report-suspicious-emails-websites-phishing
- https://www.reportfraud.police.uk/phishing/
- https://www.reportfraud.police.uk/
- https://www.ncsc.gov.uk/collection/phishing-scams
- https://www.citizensadvice.org.uk/consumer/scams/reporting-a-scam/