Skip to content

Beware of Payroll Diversion Scams

This scam is called payroll diversion or third-party payroll fraud. The scammer sends an email designed to look like it's coming from an employee to human resources, payroll, or the finance department requesting an update or change to that employee's direct deposit information. If the scam is successful, the money is diverted to the criminals bank account. In another version of the scam, the criminal will send a phishing email directly to the employee, designed to appear as if it's coming from their employer, to get that employee to divulge information that will allow the scammer to access his or her payroll information.

Employers and employees can help avoid this scam by confirming any changes to payroll information directly with the person purporting to request the change. Pay attention to the sender's email address. Often the email may have the employee's or employer's name in it, but subtle clues can help determine if it's fake.

Visit our MONEYIQ for Business Education Center

Our Business MoneyIQ page features useful information and videos to help your business navigate the increased threats from cyberattacks, Ransomware, DDoS attacks, tax fraud and more. Click on this link to access the MoneyIQ for Business Financial Literacy and Education Center.

Credit-Push Fraud: Recognizing the Signs

Credit-Push Fraud uses social engineering and email phishing attacks to deceive someone into sending funds to a criminal-controlled account. One good resource that broadly outlines CPF and offers steps for identifying and combatting the trend is Nacha’s recently released guidebook, “A New Risk Management Framework for the Era of Credit-Push Fraud”. Nacha’s Michael Herd states that “improved information sharing can counter fraud by improving awareness and understanding of fraud scenarios, enabling communication and recovery between parties regarding specific instances of fraud (”

CPF continues to dominate in the faster payments space with its expectation of quick turnaround and dependence on digital connections. Below are the four most prominent CPF scenarios, and how to protect against them, as outlined by Nacha.

Payroll Impersonation Fraud, characterized also as ghost employee fraud, employee misclassification fraud, or employee falsification fraud, occurs when cybercriminals hack employee records or access company portals using phished credentials to create a false identity. Much effort is made to identify an employee that has access to payroll and related accounting-type activities to redirect paychecks into a criminal-controlled account.

Best Protections: Tighten scrutiny over direct deposit changes and systems access, utilize multi-factor authentication for accessing sensitive employee records and details, and increase employee education for awareness and red flags.

Vendor Impersonation Fraud, also classified as Relationship and Trust Fraud by the Federal Reserve, takes place when fraudsters convince government agencies, service organizations, and third-party vendors to make payments to the fraudster’s account. Smaller businesses and vendors tend to fall prey to this fraud type, whereby internal protections may only be stopgap measures.

Best Protections: Authenticate all payment change requests using known contact information, separate internal oversight between current and new vendors, and maintain stringent policies for vendor address and direct deposit changes.

Business Email Compromise Fraud (BEC) occurs when an email of someone holding authority within a company (normally C-Level personnel) is compromised and a request for funds is sent to a trusted internal party. Also classified as Relationship and Trust Fraud by the Federal Reserve, BEC fraud can be very damaging to a company, given current focus on the digital space, quick money movement, and reliance on email communications to conduct daily operations. Fraudsters conduct BEC fraud using techniques such as spear-phishing, wicked malware, and slight changes to legitimate email and company addresses.

Best Protections: Be cautious of urgent requests, verify (in person when possible) every request for personal payments or fund transfers, set up and never disable two-factor authentication, and scrutinize email address formats, company URLs, and phone numbers.

Account Takeover Fraud (ATF) occurs when a fraudster gains access to all necessary account information and then conducts transfers into their own accounts or accounts funded for unscrupulous purposes. ATF can wreak havoc in many ways, but criminals with legitimate credentials can deplete accounts quickly and move on before raising suspicions.

Best Protections: Engage and never disable multi-factor-authentication on all accounts, stay mindful of data that is shared online and via social media sites, and never click on links in unsolicited emails and text messages.

Stay safe from cybersecurity threats

Cyber-attacks are a growing concern for small businesses. Learn about the threats and how to protect yourself.

Cyber-attacks are a growing threat for small businesses and the U.S. economy. According to the FBI’s Internet Crime Report, the cost of cybercrimes reached $2.7 billion in 2020 alone.

Small businesses are attractive targets because they have information that cybercriminals want, and they typically lack the security infrastructure of larger businesses.

According to a recent SBA survey, 88% of small business owners felt their business was vulnerable to a cyber-attack. Yet many businesses can’t afford professional IT solutions, have limited time to devote to cybersecurity, or they don’t know where to begin.

Start by learning about common cyber threats, understanding where your business is vulnerable, and taking steps to improve your cybersecurity.

Common threats

Cyber-attacks are constantly evolving, but business owners should at least be aware of the most common types.


Malware (malicious software) is an umbrella term that refers to software intentionally designed to cause damage to a computer, server, client, or computer network. Malware can include viruses and ransomware.


Viruses are harmful programs intended to spread from computer to computer (and other connected devices). Viruses are intended to give cybercriminals access to your system.


Ransomware is a specific type of malware that infects and restricts access to a computer until a ransom is paid. Ransomware is usually delivered through phishing emails and exploits unpatched vulnerabilities in software.


Phishing is a type of cyber-attack that uses email or a malicious website to infect your machine with malware or collect your sensitive information. Phishing emails appear as though they’ve been sent from a legitimate organization or known individual. These emails often entice users to click on a link or open an attachment containing malicious code. After the code is run, your computer may become infected with malware.

Assess your business risk

The first step in improving your cybersecurity is understanding your risk of an attack, and where you can make the biggest improvements.

A cybersecurity risk assessment can identify where a business is vulnerable, and help you create a plan of action—which should include user training, guidance on securing email platforms, and advice on protecting the business’s information assets.

Planning and assessment tools

There’s no substitute for dedicated IT support—whether an employee or external consultant—but businesses of more limited means can still take measures to improve their cybersecurity.

FCC Planning Tool
The Federal Communications Commission offers a cybersecurity planning tool to help you build a strategy based on your unique business needs.

Cyber Resilience Review
The Department of Homeland Security’s (DHS) Cyber Resilience Review (CRR) is a non-technical assessment to evaluate operational resilience and cybersecurity practices. You can either do the assessment yourself, or request a facilitated assessment by DHS cybersecurity professionals.

Cyber Hygiene Vulnerability Scanning
DHS also offers free cyber hygiene vulnerability scanning for small businesses. This service can help secure your internet-facing systems from weak configuration and known vulnerabilities. You will receive a weekly report for your action.

Supply Chain Risk Management

Use the Supply Chain Risk Management Toolkit to help shield your business information and communications technology from sophisticated supply chain attacks. Developed by the DHS Cybersecurity and Infrastructure Agency (CISA), this toolkit will help you raise awareness and reduce the impacts of supply chain risks.

Cybersecurity best practices

Train your employees

Employees and emails are a leading cause of data breaches for small businesses because they are a direct path into your systems. Training employees on basic internet best practices can go a long way in preventing cyber-attacks. The Department of Homeland Security’s "Stop.Think.Connect" campaign offers training and other materials. 

Training topics to cover include:

  • Spotting a phishing email
  • Using good browsing practices
  • Avoiding suspicious downloads
  • Creating strong passwords
  • Protecting sensitive customer and vendor information
  • Maintaining good cyber hygiene


Use antivirus software and keep it updated
Make sure each of your business’s computers is equipped with antivirus software and antispyware and updated regularly. Such software is readily available online from a variety of vendors. All software vendors regularly provide patches and updates to their products to correct security problems and improve functionality. Configure all software to install updates automatically.

Secure your networks
Safeguard your Internet connection by using a firewall and encrypting information. If you have a Wi-Fi network, make sure it is secure and hidden. To hide your Wi-Fi network, set up your wireless access point or router so it does not broadcast the network name, known as the Service Set Identifier (SSID). Password-protect access to the router.

Use strong passwords
Using strong passwords is an easy way to improve your cybersecurity. Be sure to use different passwords for your different accounts. A strong password includes:

  • 10 characters or more
  • At least one uppercase letter
  • At least one lowercase letter
  • At least one number
  • At least one special character

Multifactor authentication
Multifactor authentication requires additional information (e.g., a security code sent to your phone) to log in. Check with your vendors that handle sensitive data, especially financial institutions, to see if they offer multifactor authentication for your account.

Protect sensitive data and back up the rest

Back up your data
Regularly back up the data on all computers. Critical data includes word processing documents, electronic spreadsheets, databases, financial files, human resources files, and accounts receivable/payable files. Back up data automatically if possible, or at least weekly, and store the copies either offsite or on the cloud.

Secure payment processing
Work with your banks or card processors to ensure the most trusted and validated tools and anti-fraud services are being used. You may also have additional security obligations related to agreements with your bank or processor. Isolate payment systems from other, less secure programs and do not use the same computer to process payments and surf the Internet.

Control physical access
Prevent access or use of business computers by unauthorized individuals. Laptops can be particularly easy targets for theft or can be lost, so lock them up when unattended. Make sure a separate user account is created for each employee and require strong passwords. Administrative privileges should only be given to trusted IT staff and key personnel.

Small Business Payments Toolkit

The Federal Reserve and Business Payment Coalition has created the Small Business Payments Toolkit so that you can see the benefits of using electronic payment types, as well as practical fraud prevention including mitigation tips and education and training for employees to avoid payments fraud. Access the toolkit here.

Business Email Compromise (BEC). What is it?

Business Email Compromise (BEC) is a type of targeted scam in which an attacker impersonates a company executive or high-level employee with the intent of defrauding or extracting sensitive data from the company or its partners. The end goal of a BEC fraud is to persuade the target to make a money transfer or send sensitive data to the attacker while believing they are executing a legitimate and regular business operation.

Attackers achieve this by using different manipulating techniques in order to trick users into providing money or data.

How a BEC Scam Works

Well, like all social engineering attacks, BEC fraud relies on the human factor in order to be successful. This means that the innate human tendency to be a social creature is what will be exploited here.

Because people have a natural desire to be helpful and prove their usefulness, therefore likely to become victims of BEC attacks. The impulse to say ‘yes’ fast to a request from your management overrides the need to double-check if everything is in order with that request in the first place. 

In most BEC attacks, there are three major stages:

Target Research

Also known as the “man-in-the-email” attack, BEC scams start with a large amount of research, with the attacker going through publicly available information about the company, like websites, press releases, or social media published content.


After diligently researching his targets for some time, the attacker will develop a few scam scenarios that might work.

The attacker will try to either obtain access to the email addresses of the influential people in the company or just impersonate them. By creating an email address with a spoofed domain and just adding 1 digit or one letter in the domain name you could become a victim.

Attack Execution

Depending on the adversary’s thoroughness, the BEC assault can occur in a single email or throughout an entire thread. To earn the victim’s trust, this communication frequently employs persuasion, urgency, and authority. The attacker then gives the victim instructions to either make a money transfer or send sensitive data.

Most Common Types of BEC Attacks

The Bogus Invoice Scheme

In this specific scam companies working with foreign suppliers are often targeted. The attackers pretend to be suppliers requesting fund transfers for payments to an account owned by fraudsters.

CEO Fraud

After collecting the necessary data, attackers will behave as the company CEO or any high-level executive and send an email to employees in finance, requesting money transfers to the account they control.

Email Account Compromise (EAC)

An executive or employee’s email account is hacked and used to request invoice payments to vendors listed in their email contacts. Payments are then sent to fraudulent bank accounts.

Attorney Impersonation

There are cases when attackers are pretending to be a lawyer or someone from a law firm that is supposedly in charge of crucial and confidential data. These types of requests are done usually through email or phone and take place at the end of the business day when the victim is tired and less focused.

Data Theft

This type of scam usually targets employees from the HR and bookkeeping departments. The employees are targeted in order to obtain personally identifiable information (PII) or tax statements of employees and executives, important data that can be used in future attacks.

How to prevent Business Email Compromise?

1. Train your employees

An extremely important step an organization must take in safeguarding against BEC is to provide employees with adequate cybersecurity training.

Employees should be aware of the risks and implications that these attacks hold, as well as how to spot scams and properly respond to an incident of this sort.

BEC attacks have a high success rate not because they are so technologically sophisticated, but because they are exploiting human vulnerabilities, like a response to authority, schedule, or even tiredness.

You can mitigate these risks using clear communication of roles and expectations whilst providing appropriate guidance in the use of IT and accounting controls.

Cybersecurity risks come in a wide variety of shapes and sizes, making it critical to recognize, disclose, and properly respond to a cyber threat.

Although it may seem obvious, human error is responsible for 95% of effective cyber-attacks. Managers should bear in mind that hackers don’t just break into the IT department by sheer force; they look for weaknesses.

As a result, every job in the organization is responsible for cybersecurity knowledge and abilities.

Making cyber security everyone’s responsibility is extremely important, therefore you should include management and IT in your education program, as well as have regular cyber security sessions, and of course create specific rules for email, internet browsing, social networks, and mobile devices.

It’s true that there’s no foolproof method that you can use to protect your business, but educating your employees about security threats and best practices for online behavior and privacy can greatly reduce the possibility of a BEC scam.

2. Encourage employees to challenge suspicious requests

Sometimes employees tend to rush an action or a response, therefore training them to double-check before executing a task could reduce the risk of being compromised by a cyber attack.

Let’s take as an example an email coming from a senior executive in the company in which a large amount of money is requested in an urgent manner.

Employees should understand that it’s better to delay the payment than to be scammed and take the proper steps in making sure the request that came their way is actually legit.

Another aspect that needs to be better applied and understood, especially when discussing larger companies, is to make employees feel comfortable to contact their managers, not only via email but also using alternative communication tools like internal chat systems, SMS, and even phone calls.

Any organization requires effective communication. Organizations must have complete policies and methods for communicating with their constituents, workers, and stakeholders, as well as the general public, in order to be successful.

3. Payments approval process

Organizations should start mapping the existing workflow used for wire transfers and analyze in-depth their processes in order to identify potential weaknesses and enhancement opportunities, for example limiting the amount of money each executive can approve, or using authorization for wire transfers, that also includes a protocol for approvals in the specific cases where senior executives are the initiators of these transactions.

4. Deploy cybersecurity solutions

Raising employee awareness about scams and BEC fraud is always a good idea, but businesses shouldn’t rely solely on this.

Having at least basic email security in place and two-factor authentication is a must. You Should also make sure to update your security software regularly and keep a backup of your data.

Business scams and fraud attempts are on the rise — especially ACH and wire fraud, in which scammers use nefarious means to try to trick you into sending them money electronically. So how do you keep your business safe from those who want to wreak havoc? Along with best practices from our friends at the National Automated Clearing House Association (NACHA), we’ve added some tips of our own and built this resource to help you protect your company from falling victim. You’ll also find a roundup of four up-and-coming scams to keep your eye out for. Let’s dive in!

Best practices against ACH and wire fraud

Business scams and fraud attempts are on the rise — especially ACH and wire fraud, in which scammers use nefarious means to try to trick you into sending them money electronically. So how do you keep your business safe from those who want to wreak havoc?

Verify by phone before you send funds. ALWAYS call the vendor, business partner, or colleague directly to verify the payment information. Use previously known numbers you know are correct — even across different time zones — and not the numbers provided in an email or text request. Never initiate any changes based only on email or text communication.

Be cautious of new payment information. Beware of email requests instructing a routine wire payment to be sent to a new account.

Match your payment to a legitimate invoice before paying. Quite frequently, fraudsters tend to pose as a trusted vendor requesting payment. Prior to sending payments, ensure the payment requested matches a legitimate invoice.

Verify before clicking on a link or opening an attachment in an email or text. It may appear to be from someone you know, but it may be a fraudster phishing for your password, business bank account, or other sensitive information. Extra caution: The link may contain malware.

Double-check the email address. Fraudsters are tricky and can create email addresses that look very similar to the legitimate account. They often find naming conventions for a company’s email accounts on its website and use those to fool you — inspect closely!

Do not respond to email as verification. Don’t reply to the requester by email. The fraudster either controls the spoof email account or has gotten access to the valid email account and can write back, making it look legitimate when it’s really not.

Beware of a sense of urgency. Usually fraudsters will indicate that the funds need to be wired right away. These requests often ask that the client be contacted only through email instead of other channels.

Know and trust who you are working with. Before doing business with a new company, search the company’s name online with the term “scam” or “complaint.” Read what others are saying about the company. Only purchase merchandise from reputable dealers or establishments.

Be wary of using free, web-based email accounts for your business, which are more susceptible to being hacked. Make sure at least two-factor authentication is available.

Be careful when posting information to social media and company websites, as fraudsters may use this information to deploy new tactics.

Keep the processing of your financial activities limited to as few machines as possible and limit the other activities such as web surfing on those machines, as well.

Consider financial security procedures that include a two-factor authentication process or dual control for electronic funds transfers.

Create intrusion detection system rules that flag emails with extensions that are similar to company email but not exactly the same (for example, .co instead of .com). If possible, register all Internet domains that are slightly different from the actual company domain.

Know the habits of your customers, including the reason, detail, and amount of payments. Beware of any significant changes.

Consider frequent and regular patching of your business systems.

Use a quality next-gen antivirus solution — one that watches for behavior anomalies and not just signatures.


Thinking of starting a Business?

Visit the one-stop shop for learning about doing business in Ohio.

Go to

Information for starting and maintaining a business.

Go to Ohio Secretary of State online.

Old-fashioned Innovation

Give Us A Call: 800-422-3641