One Fake Email. One Employee's Paycheck. Gone.
"Please update my direct deposit." That email just redirected someone's paycheck to a scammer. W-2 theft season starts in January. Payroll diversion happens year-round.
$1.3 billion stolen through payroll diversion in 2025. Your inbox is the entry point.
How They Target HR & Payroll
You control access to the most sensitive employee data. Criminals know this.
W-2 Phishing
"The CEO" asks for all employee W-2s for a "year-end review." You send them. Now 200 employees' SSNs are in criminal hands. Tax refund fraud follows.
Payroll Diversion
"Hi, I'm traveling—can you update my direct deposit?" You make the change. The next paycheck goes to a scammer's account. $4,200 gone. Employee devastated.
Executive Impersonation
The "CFO" needs employee records urgently. The email looks right. But it's not from your CFO—it's a criminal with a spoofed address harvesting SSNs.
Benefits Fraud
Fake emails from "benefits providers" asking employees to verify personal info. They click, enter credentials, and their 401k access is compromised.
It Happens Fast
10:15 AM
You receive an email from "Michael Chen" in Sales asking to update his direct deposit information. The email comes from michael.chen@yourcompany-hr.com—looks almost right.
10:22 AM
You process the change. Payroll runs Friday. Michael's $4,200 paycheck is direct deposited to a bank account in another state.
9:00 AM
The real Michael Chen calls. He never sent that email. His paycheck is gone. The bank account has been closed. The money is unrecoverable.
What ForwardToSafety Would Have Caught:
- Email came from yourcompany-hr.com (lookalike domain)
- SPF/DKIM authentication failed
- Pattern matches known payroll diversion tactics
- Verdict: DANGEROUS
Your Compliance Obligations
Employment and privacy laws create liability when employee data is compromised.
| Rule | Requirement | How Phishing Threatens Compliance |
|---|---|---|
| FLSA Record Requirements | Maintain accurate payroll records | Fraudulent payroll changes corrupt official records |
| State Privacy Laws | Protect employee personal information | W-2 and tax form phishing exposes protected data |
| PCI DSS (if handling payments) | Protect cardholder data in payroll systems | Credential theft enables payment card exposure |
| IRS Data Protection | Safeguard taxpayer information (W-2s, 1099s) | W-2 phishing enables mass identity theft and tax fraud |
"An 'employee' emailed asking to change their direct deposit info. I forwarded it to ForwardToSafety first—the domain was off by one letter. That would have been a $5,600 mistake and a devastated employee."
— Sarah K., HR Manager
How ForwardToSafety Protects Your Team
Verify any suspicious HR or payroll request before you act on it.
Employee Verification
Did this payroll change request really come from that employee? We verify the sender instantly.
Lookalike Domain Detection
We catch domains that look almost right—yourcompany-hr.com, your-company.com, and other tricks.
Compliance Documentation
Our analysis reports document your due diligence. Protect yourself and your organization.
Why HR Teams Trust ForwardToSafety
The Next Payroll Change Request Could Be a Scam
Verify before you process. Protect every employee's paycheck.
Protect My Team's Data