The Attorney General’s Consumer Protection Division has received reports of an attempted phishing scam involving direct deposit and payroll. A local payroll manager was contacted via email by someone impersonating an actual employee and asking for their bank account information for direct deposit to be changed. In fact, the scammer used a fake email to contact the payroll manager.

In another report, an employee had been contacted by her payroll manager to confirm a request to change her direct deposit account information. The employee had not requested the change, and the parties were able to avoid being defrauded. Had the payroll manager made the change without attempting to confirm it was legitimate, that employee’s paycheck would have been diverted to the scammer.

This scam is often called payroll diversion or third-party payroll fraud. The scammer will send an email designed to look like it’s coming from an employee to human resources, payroll, or the finance department requesting an update or change to that employee’s direct deposit information. If the scam is successful, the money is diverted to the criminal’s bank account. In another version of the scam, the

criminal will send a phishing email directly to the employee, designed to appear as if it’s coming from their employer, to get that employee to divulge information that will allow the scammer to access his or her payroll information.

Employers and employees can help avoid this scam by confirming any changes to payroll information directly with the person purporting to request the change. Pay attention to the sender’s email address. Often the email may have the employee’s or employer’s name in it, but subtle clues can help determine if it’s fake (for example, if the email was not sent using an official business or government account).

Employees, if you receive an email you suspect may be fraudulent, contact your employer’s human resources department. Employers, confirm any requested payroll changes directly with the employee prior to making the changes.

You can report scams to the Consumer Protection Division by emailing consumer@oag.state.md.us


Leave a comment

Leave a Reply