Payroll fraud can strike any organization, but it can be detected and prevented.

Identifying and Preventing Payroll Fraud: Payroll Diversion

SP6 “What You Need to Know” Series (Article 1 of 3)

You may be surprised to discover how widespread payroll fraud is. It’s a white-collar crime affecting businesses of all sizes and touching nearly every industry.

Consider the following: 

  • According to the FBI, $3.5 billion was reported lost in the U.S. as a result of payroll diversion tactics reported to the Internet Crime Complaint Center (IC3) between June 2016 and July 2019. 
  • The IC3 reports direct deposit change requests grew by 815% from 2018 to 2019. 

Because payroll fraud is so common, we suggest organizations prevent significant losses before they occur. Here are some of the ways bad actors go about perpetrating it:  

  • Payroll diversion 
  • Phantom employees 
  • Time sheet or PTO fraud 

In this article, we’ll examine the topic of payroll diversion. 

What Is Payroll Diversion?

AADP explains, payroll diversion is a type of fraud occurring when a cybercriminal has enough information to impersonate an employee. Here are two examples of how it can be carried out. 

Fraud Scenario 1

  • The fraudster sends a fake (phishing) email to employees directing them to log into their HR/payroll portal. 
  • This email contains a link to a landing page resembling the company’s HR/payroll portal. However, it’s a fake site that mimics the organization’s site. 
  • The phishing email simultaneously deploys malware (malicious software) on employees’ computers or laptops. 
  • When an employee types their login credentials into the fake website, the malware captures themployee’s keystrokes. This is how the fraudster obtains the employee’s username and password. 
  • The bad actor then goes to the company’s actual HR/payroll portal. There, they simply log into the employee’s account. 
  • Finally, they change the bank routing and account numbers to divert the employee’s direct deposit to their own account.

Fraud Scenario 2
  • A fraudster sends a fake email to the Human Resources or payroll department or calls them, asking for a change to an employee’s bank account information.  
  • They provide a new bank routing and account number for an account they control.  

Now, we’ll spotlight a payroll diversion scheme that cost an organization over $700,000 in one year. We’ll also show you how those losses were later prevented through the use of real-time analytics software. 


Payroll Diversion Prevention at Arizona State University

Based in Tempe, Arizona State University is the largest single university in the country. ASU processes payroll for over 15,000 full-time, part-time, adjunct and student employees.  

There are over 100,000 users in the ASU email system – 92,000+ active students and 20,000 faculty, staff, and affiliates.  Remarkably, of the 1 billion-plus emails sent to the university in 2015, over 750 million were spam and phishing attempts. 

Identifying Payroll Diversion

ASU comprises multiple campuses with a diverse IT infrastructure comprising many organic, homegrown, custom, and proprietary systems. 

For convenience’s sake, employees can change their information online. However, this makes the system a potential target for hackers.  

In fact, the university was bombarded by continuous phishing emails, through which bad actors would divert payroll funds. When direct deposit information was changed, there was no system in place to verify these changes in real time. 

As a result, fraud incident responses took several business days. Meanwhile, ASU suffered losses of $60,000 per month.  

Not only was ASU losing money, employees were not getting paid. 

Solving Payroll Diversion

To combat this vexing type of fraud, ASU implemented a real-time analytics solution – in this case, Splunk. The software would sort and analyze information, including: 

  • HR and employee data. 
  • Network data (i.e., the originating geolocation of any login to the HR/Payroll portal).

Next, Splunk would:

  • Calculate the distance between the employee’s home and the location of the login that the direct deposit changes.
  • Generate alerts and reports when the distance is unusual (give or take 50 miles) and flag the results for the payroll team to review. 
  • Immediately notify ASU’s HR and payroll departments of all changes to payroll direct deposit information. 
 Saving Time and Money
In turn, the payroll department would:

  • Implement a direct deposit change freeze on suspect changes before the close of each payroll run.
  • Reach out to employees to verify any unusual changes before payroll is run. 
  • Revert any fraudulent changes. 

Thanks to Splunk, ASU now saves over 30 hours in direct deposit reviews per payroll – and tens of thousands of dollars on each payroll run. 

Users, meanwhile, appreciate the university watching out for them. 

In Conclusion

All organizations are potential targets of employee theft, including payroll fraud and diversion. 

This type of fraud can be very difficult to spotTherefore, businesses incorporating the latest technology with human controls have a much better chance of combating it. 

Learn how the experts at SP6 partner with organizations of all sizes and business sectors to help them use the data they already have to detect fraud and prevent losses. 

And don’t hesitate to contact us to schedule a free consultation.