Payroll and HR Scams

Common scenario

A payroll assistant receives a message that appears to be from an employee asking for a payroll update before the next pay run. The message says the employee is hard to reach today and asks for the change to be handled quickly.

Warning signs

• The request changes payroll, contact, tax, benefits, or employee account details.
• The message comes from a personal address, new number, or unusual channel.
• The sender says they are unavailable for normal confirmation.
• The request arrives close to a payroll deadline.
• The message asks HR or payroll to make an exception to the usual process.
• The request includes unexpected attachments, links, forms, or service portals.
• The sender asks for employee lists, onboarding details, documents, or login access.
• The message creates pressure by mentioning missed pay, urgent onboarding, or senior approval.

Questions to ask

• Does this request change employee-related records, payroll, benefits, or access?
• Did it arrive through the normal HR, payroll, or employee process?
• Can the employee or manager be reached through a known channel?
• Does the request involve private employee, payroll, tax, identity, or document information?
• Is timing pressure being used to skip verification?
• Who is the approved backup reviewer for payroll or HR changes?

Verification workflow

• Hold the requested change until it is verified through the normal HR or payroll path.
• Avoid replying with private employee, payroll, login, tax, or document information.
• Use a known internal channel to confirm the request with the employee or approved manager.
• Require a second review for payroll destination changes or unusual access requests.
• Make the change only inside the approved business system or process.
• Keep a short internal note showing that verification occurred.
• If the request remains uncertain, delay the change and escalate to the designated internal reviewer.

Example internal policy

• Payroll, HR, and employee access changes are not made from a single message.
• Employee-related changes must use approved internal processes and known channels.
• Payroll destination changes require second review.
• Staff do not share employee lists, documents, codes, or login details in response to surprise requests.
• Payroll deadlines do not remove verification requirements.

What not to do

• Do not change payroll details from an email, text, or chat message alone.
• Do not send employee records, tax forms, identity details, or document copies in response to surprise requests.
• Do not click unexpected HR, benefits, recruiting, or payroll links before checking the source.
• Do not share one-time codes, passwords, or account recovery prompts.
• Do not bypass the normal system because the sender says the change is urgent.
• Do not confront a suspicious sender or ask them to prove who they are by sending private information.

If something already happened

• Pause additional HR, payroll, or access changes related to the same request.
• Notify the owner, HR lead, payroll lead, or designated internal reviewer.
• Record the request, timing, channel, and action taken in internal notes.
• Use known internal channels to check with the real employee or manager.
• Review recent similar requests near the same payroll period.
• Update the payroll and HR checklist so staff know exactly when to pause.