Remember the childhood story about Little Red Riding Hood? The villain, a.k.a. the wolf, locked grandma in the closet, put on granny’s nightie and night cap, and pretended to be grandma tucked into bed when Red showed up. But Red was not fooled by the wolf. Something just wasn’t right. Red was smart to challenge the wolf, suggesting that his eyes, ears and teeth did not look quite right to be her grandma. Ultimately Red was not tricked by the wolf and Grandma was freed. (Full disclosure, some versions of the tale take a dark turn, but we are focused on the happy ending.)

Times have changed. The villains today are identity thieves. Like the wolf, who was simply looking for a tasty but ill-gotten meal, identity thieves have a single goal to steal your money.

And like the wolf, identity thieves masquerade as people you trust in order to do you harm, delivering malicious links or attachments via email and text messages. Known as phishing, these scams rely on your inability to spot the sender as a fraudster to trick you into handing over what they treasure most – your personally identifiable information.

One of the latest phishing scams targets the valuable PII associated with your paycheck. You can be like Little Red Riding Hood by outsmarting your villain – challenge any request for personally identifiable information, even if it looks like the request comes from someone you trust.

The Payroll Angle

The personally identifiable information associated with your paycheck includes Social Security numbers, addresses, birthdates and, most importantly, bank account numbers used for direct deposit of your check. The fraudster masquerades as your employer’s Human Resources (HR) or payroll department and contacts you and other employees directly via email. As part of the scam, you will be asked to enter, update or confirm your personally identifiable information, either by clicking a link to a dummy website or by responding to the phishing email directly.

The scammer’s goal is to obtain your direct deposit bank account information. They then use that information to redirect your pay into a different bank account that they can access.

Employers may first become aware of this scam when employees start complaining that their pay is missing, at which time the money is already gone.

Variations of Payroll Phishing Scam

A payroll or direct deposit phishing attempt is a type of Business Email Compromise (BEC), or a hoax in which the attacker gains access to a corporate email account and assumes the owner's identity to defraud the company or its employees, customers or partners of money. Creative criminals have multiple variations of defrauding folks with a payroll or direct deposit-related scam.

For companies that use a third-party payroll vendor, an employee can be lured to a spoofed website (a fake site designed to resemble the actual third-party’s site), where they are asked to provide login credentials, which the scammer collects for their own use. In another variation, the fraudster gains control of or spoofs an employee’s email account, then contacts the payroll vendor to request a password change for an online payroll portal.

Because this particular scam involves payroll, employees are more likely to respond in an effort to avoid having their regular pay interrupted.  

“Stealing paychecks hits people where it hurts,” said Trevor Buxton, Fraud Communications Manager and Certified Fraud Examiner with PNC Security. “Having awareness of this particular scam, and knowing how to spot it, is the best way to ensure the villains don’t get paid for your hard work.”

Don’t Take the Bait

As with all phishing campaigns, the email or text message involved often share certain tell-tale features hinting that they are fake:

  • Misspellings
  • Grammatical errors
  • Offers of fantastic prizes
  • A sense of urgency
  • Request for personally identifiable information (PII)
  • Request for User IDs and Passwords
  • Threats with consequences
  • Specific demands

Fortunately, there are things that can help individuals and small businesses detect and avoid a phish:

  • Hover the cursor over the sender’s email address, which should bring up a “mouseover” box containing the sender’s actual email address. Inspect it for irregularities that could signal signs of spoofing.
  • Use email’s “forward” feature rather than “reply.” “Forward” forces the user to type in a known and trusted email address, whereas “reply” will respond directly to the phisher.
  • In a suspected phish, do not click links or respond to a text message requesting personal or financial information like credit card numbers, Social Security numbers or other banking information. It is best practice to contact the company directly by typing in a known URL address into your Internet browser and not use information contained in the suspect email/text.
  • Do not open attachments in a suspected phish.
  • Do not call phone numbers contained in a suspected phish. 

Go to a known source of information for contact information, such as your company’s HR or payroll departments, using a phone number or email address that you would typically use. If they are not aware of the request, you should follow your company’s process for reporting suspicious email. 

If your company does not have a formal process, file a complaint with the Federal Bureau of Investigation Internet Crime Complaint Center (IC3) at

In 2016, the Federal Bureau of Investigation Internet Crime Center (IC3) received 12,005 Business Email Compromise/Email Account Compromise complaints with losses totaling more than $360 million.[1]