'%3e%3cpath%20d='M0,0%20v30%20h60%20v-30%20z'%20fill='%23012169'/%3e%3cpath%20d='M0,0%20L60,30%20M60,0%20L0,30'%20stroke='%23fff'%20stroke-width='6'/%3e%3cpath%20d='M0,0%20L60,30%20M60,0%20L0,30'%20stroke='%23C8102E'%20stroke-width='4'%20clip-path='url(%23s)'/%3e%3cpath%20d='M30,0%20v30%20M0,15%20h60'%20stroke='%23fff'%20stroke-width='10'/%3e%3cpath%20d='M30,0%20v30%20M0,15%20h60'%20stroke='%23C8102E'%20stroke-width='6'/%3e%3c/g%3e%3c/svg%3e)
UK
%20--%3e%3cuse%20href='%23s'%20x='0'%20y='0'/%3e%3cuse%20href='%23s'%20x='494'%20y='0'/%3e%3cuse%20href='%23s'%20x='988'%20y='0'/%3e%3cuse%20href='%23s'%20x='1482'%20y='0'/%3e%3cuse%20href='%23s'%20x='1976'%20y='0'/%3e%3cuse%20href='%23s'%20x='2470'%20y='0'/%3e%3cuse%20href='%23s'%20x='247'%20y='210'/%3e%3cuse%20href='%23s'%20x='741'%20y='210'/%3e%3cuse%20href='%23s'%20x='1235'%20y='210'/%3e%3cuse%20href='%23s'%20x='1729'%20y='210'/%3e%3cuse%20href='%23s'%20x='2223'%20y='210'/%3e%3cuse%20href='%23s'%20x='2717'%20y='210'/%3e%3cuse%20href='%23s'%20x='0'%20y='420'/%3e%3cuse%20href='%23s'%20x='494'%20y='420'/%3e%3cuse%20href='%23s'%20x='988'%20y='420'/%3e%3cuse%20href='%23s'%20x='1482'%20y='420'/%3e%3cuse%20href='%23s'%20x='1976'%20y='420'/%3e%3cuse%20href='%23s'%20x='2470'%20y='420'/%3e%3cuse%20href='%23s'%20x='247'%20y='630'/%3e%3cuse%20href='%23s'%20x='741'%20y='630'/%3e%3cuse%20href='%23s'%20x='1235'%20y='630'/%3e%3cuse%20href='%23s'%20x='1729'%20y='630'/%3e%3cuse%20href='%23s'%20x='2223'%20y='630'/%3e%3cuse%20href='%23s'%20x='2717'%20y='630'/%3e%3cuse%20href='%23s'%20x='0'%20y='840'/%3e%3cuse%20href='%23s'%20x='494'%20y='840'/%3e%3cuse%20href='%23s'%20x='988'%20y='840'/%3e%3cuse%20href='%23s'%20x='1482'%20y='840'/%3e%3cuse%20href='%23s'%20x='1976'%20y='840'/%3e%3cuse%20href='%23s'%20x='2470'%20y='840'/%3e%3cuse%20href='%23s'%20x='247'%20y='1050'/%3e%3cuse%20href='%23s'%20x='741'%20y='1050'/%3e%3cuse%20href='%23s'%20x='1235'%20y='1050'/%3e%3cuse%20href='%23s'%20x='1729'%20y='1050'/%3e%3cuse%20href='%23s'%20x='2223'%20y='1050'/%3e%3cuse%20href='%23s'%20x='2717'%20y='1050'/%3e%3cuse%20href='%23s'%20x='0'%20y='1260'/%3e%3cuse%20href='%23s'%20x='494'%20y='1260'/%3e%3cuse%20href='%23s'%20x='988'%20y='1260'/%3e%3cuse%20href='%23s'%20x='1482'%20y='1260'/%3e%3cuse%20href='%23s'%20x='1976'%20y='1260'/%3e%3cuse%20href='%23s'%20x='2470'%20y='1260'/%3e%3cuse%20href='%23s'%20x='247'%20y='1470'/%3e%3cuse%20href='%23s'%20x='741'%20y='1470'/%3e%3cuse%20href='%23s'%20x='1235'%20y='1470'/%3e%3cuse%20href='%23s'%20x='1729'%20y='1470'/%3e%3cuse%20href='%23s'%20x='2223'%20y='1470'/%3e%3cuse%20href='%23s'%20x='2717'%20y='1470'/%3e%3cuse%20href='%23s'%20x='0'%20y='1680'/%3e%3cuse%20href='%23s'%20x='494'%20y='1680'/%3e%3cuse%20href='%23s'%20x='988'%20y='1680'/%3e%3cuse%20href='%23s'%20x='1482'%20y='1680'/%3e%3cuse%20href='%23s'%20x='1976'%20y='1680'/%3e%3cuse%20href='%23s'%20x='2470'%20y='1680'/%3e%3c/g%3e%3c/svg%3e)
USA
us Work & employment crises suspicious payroll email • change payroll bank details • payroll direct deposit scam • direct deposit change request • payroll diversion attempt • fake hr payroll request • bank account change email • urgent payroll update email • payroll phishing message • salary payment redirected • business email compromise • employee self service portal scam • payroll account takeover • paycheck deposit redirected • update bank details link • unexpected payroll instruction • impersonation finance request • payroll identity fraud • new bank details request What to do if…
What to do if…
you receive an email asking you to change payroll bank details and it feels suspicious
Short answer
Don’t act from the email. Verify through your employer’s known HR/payroll channels and alert HR/payroll and IT/security immediately so they can lock down your direct deposit and block the scam.
Do not do these things
- Don’t click the link or open attachments (even if it looks like your payroll portal).
- Don’t reply to the email or continue the conversation by email or text.
- Don’t call any phone number in the message or use any “helpdesk” link it provides.
- Don’t change direct deposit details based only on an email request.
- Don’t forward it broadly to coworkers (send it only to the right internal reporting channel).
- If you already entered credentials, don’t wait until payday to see what happens.
What to do now
- Verify using a trusted channel you already know.
Contact HR/payroll using the number in your employee directory/handbook, a trusted internal directory, or your company intranet. Ask: “Did you request a change to my direct deposit details?” - Check your payroll/self-service portal from a clean route.
Do not use the email link. Manually open the site the way you normally do (bookmark/typed URL). Look for recent changes to direct deposit, contact info, or security settings, and for any password-reset notices you didn’t initiate. - Ask payroll to lock down your direct deposit immediately.
Request a temporary hold on any direct deposit changes on your employee profile until you confirm through their normal identity checks. If a payroll run is near, ask them to confirm which account your next pay is scheduled to go to and what their change cut-off is. - Report it to IT/security right away.
Use your company’s official method (phishing-report button, security inbox, or service desk). IT can quarantine the message, block domains, and check for mailbox compromise. - If you clicked or entered credentials, treat it as a compromise.
- Change your work password from the legitimate login page (not from the email).
- Turn on MFA if available, or ask IT to help you enable it.
- Tell IT exactly what you clicked and what you typed.
- If you shared sensitive personal info, reduce identity-theft risk.
Tell HR/payroll what was shared (routing/account numbers, address, SSN, etc.). If SSN or other high-risk info was exposed, consider placing a fraud alert or credit freeze with the major credit bureaus, and follow identity-theft recovery steps if needed. - If money was diverted (or you’re not sure), contact your bank immediately.
Ask what they can do to stop or recall the transfer and what documentation they need from payroll. Also keep payroll in the loop so they can confirm the payment path and timing. - Report externally if appropriate.
You can file a complaint with the FBI’s Internet Crime Complaint Center (IC3) and report scams to the Federal Trade Commission via ReportFraud.
What can wait
- You don’t need to investigate the scam or argue with the sender.
- You don’t need to make big decisions today (closing accounts, legal steps) unless you confirm money was diverted or identity data was exposed.
- You can handle longer-term security improvements later, once HR/IT confirms your payroll record is safe.
Important reassurance
This is a common workplace scam because it targets urgency and routine payroll tasks. Hesitating is the right instinct. Your job now is to slow down, verify through known channels, and get HR/IT involved.
Scope note
These are immediate first steps to prevent paycheck diversion and contain a possible account compromise. Follow-up steps depend on what HR/IT and your bank confirm happened.
Important note
This guide is general information, not legal, financial, or cybersecurity advice. Policies and payroll systems differ by employer and state. If funds were diverted or an account may be compromised, escalate to your employer’s payroll/IT contacts and your financial institution promptly.
Additional Resources
- https://www.fbi.gov/how-we-can-help-you/scams-and-safety/common-frauds-and-scams/business-email-compromise
- https://www.ic3.gov/PSA/2018/PSA180918
- https://consumer.ftc.gov/articles/how-recognize-avoid-phishing-scams
- https://reportfraud.ftc.gov/
- https://consumer.ftc.gov/articles/credit-freezes-and-fraud-alerts
- https://www.identitytheft.gov/Info-Lost-or-Stolen