Payroll Direct Deposit Risk & Fraud Prevention Playbook
- Ben Scott
- Feb 20
- 11 min read
Updated: Mar 13
A practical control pack to prevent payroll diversion, protect employees, and keep bank changes from becoming incidents.
Why bank-change controls matter
Direct deposit changes look routine—until they aren’t.
The highest-impact payroll incidents often come from a simple workflow weakness: someone requests a bank change, payroll processes it quickly, and the next payday routes money to the wrong place.
The root cause is rarely payroll math. It’s usually a breakdown in verification, approvals, and timing controls—exactly the kinds of weaknesses attackers target in payroll phishing and business email compromise schemes.
This guide is designed to make direct deposit changes boring again: predictable, controlled, and auditable.
The fraud-control trade-off
Direct deposit changes force a trade-off most teams never name:
Frictionless updates (fast, minimal review, fewer employee steps)
vs
Controlled updates (verification, holds, approvals, and evidence)
“Frictionless” feels employee-friendly, but it increases the chance of:
fraud/diversion events
accidental misrouting
payday emergencies and off-cycle corrections
long-term trust damage (“payroll can’t be trusted”)
“Controlled” adds small steps, but it reduces incident probability dramatically—especially for remote workforces and organizations with multiple admins.
High-level conclusion: treat bank changes like high-risk payroll events
The safest operating model treats direct deposit changes as a high-risk event with four non-negotiables:
Identity verification: the request must be verified through a trusted channel (not the same email thread).
Timing controls: changes near cutoff trigger a hold rule (apply next cycle unless verified early enough).
Evidence pack: every change produces proof (who requested, how verified, who approved, when effective).
Incident playbook: when something smells wrong, you have a stop-the-line escalation path.
These controls align with how federal guidance frames payroll-targeting scams: attackers exploit trust and informal processes, so defenses must be procedural and testable, not just “be careful.”
Related decision guide: Payroll Change Control Playbook
Related decision guide: Payroll Record Retention & Audit-Ready Evidence Pack
Get Your Free Payroll Software Matches
SelectSoftware Reviews Offers 1:1 Help From a Payroll Software Advisor. Get in touch to:
Table of contents
Pre-mortem: how direct deposit goes wrong in real life
This section is intentionally concrete. The goal is to make failure predictable so prevention becomes practical.
Failure path 1: “Employee email request” with no out-of-band verification
What happens
A request arrives by email: “I changed banks—please update direct deposit.”
Payroll updates it because it “sounds normal.”
Payday routes to a new account that is not the employee’s.
Why it happens
Email is not identity. Attackers leverage compromised inboxes, spoofed addresses, and urgency language—patterns common in business email compromise activity. (fbi.gov)
Prevention control
Require out-of-band verification (trusted call-back or portal verification), and never verify in the same email thread.
Failure path 2: “Executive urgency” override (process bypass)
What happens
A message appears to come from a leader or HR: “Please update this today—urgent.”
The team bypasses normal checks to help.
Funds are diverted or misrouted.
Why it happens
Attackers target human helpfulness, perceived authority, and time pressure—again consistent with business email compromise patterns. (fbi.gov)
Prevention control
A “stop-the-line” rule: urgency never replaces verification.
Escalate to a second approver for any exception to policy.
Failure path 3: Changes inside cutoff windows (timing risk)
What happens
An employee requests an update close to payroll cutoff.
Payroll updates it immediately.
The change applies to the next payroll run without adequate verification time.
If anything is wrong, there is no time to correct before pay is released.
Prevention control
A cutoff/hold rule: changes inside the window apply next cycle unless they meet a stricter verification standard.
Failure path 4: Shared admin access (no accountability, no traceability)
What happens
Multiple admins can change banking details.
There’s limited audit trail review.
A change is made and later disputed; no one can quickly prove who did what and why.
Prevention control
Restrict executors, require approvals, and retain a standard evidence pack.
Related decision guide: Payroll Change Control Playbook
Failure path 5: Employee self-service exists, but “support” bypasses it
What happens
A self-service portal exists, but employees email payroll because it’s faster.
Payroll makes manual updates without the portal verification trail.
Evidence and accountability are weakened.
Prevention control
Enforce channel discipline: bank changes must come through controlled channels (portal or verified call-back workflow).
If support assists, it should assist through the controlled flow, not bypass it.
Failure path 6: No incident playbook (you lose time when time matters)
What happens
A suspicious request comes in or an employee reports missing pay.
The team scrambles to decide what to do.
Critical time is lost, and evidence is scattered.
Prevention control
A short incident escalation workflow: hold changes, notify internal owners, preserve evidence, and escalate to the bank/provider per your internal process.
Direct Deposit Risk & Fraud Prevention Control Pack
This is the primary decision artifact. It includes:
Verification checklist
Cutoff and hold rules
Evidence pack requirements
Escalation workflow (stop-the-line)
All artifact tables follow your 5-column maximum rule.
Artifact Table A — Verification checklist (identity + channel controls)
Step | What to do | Why it matters | Owner | Evidence to retain |
V1 | Accept bank change requests only through approved channels (preferred: self-service; alternate: verified call-back process) | Reduces spoofing and channel manipulation | Payroll intake owner | Request record + channel used |
V2 | Verify identity out-of-band (not the same email thread); use a trusted callback method | Email-only verification is vulnerable | Payroll resolver | Verification note (method, date/time) |
V3 | Require a second check for “high-risk signals” (new bank + urgency + new email/phone) | Risk is multiplicative when multiple signals exist | Payroll lead/approver | Risk flag note + approval |
V4 | Confirm effective date and communicate when the change will apply | Prevents misunderstanding and timing errors | Payroll intake owner | Employee message copy |
V5 | If verification fails or feels suspicious, stop-the-line and escalate (do not process) | Prevents irreversible releases | Payroll lead | Escalation record |
Artifact Table B — Cutoff and hold rules (timing discipline)
Rule | Condition | Action | Owner | Evidence to retain |
T1 | Request received inside payroll cutoff window | Default: apply to next pay cycle | Payroll intake owner | Timestamp + cutoff determination |
T2 | Request is urgent but inside cutoff | Only process this cycle if enhanced verification completed and approver signs off | Payroll lead/approver | Verification proof + approval |
T3 | Any request with high-risk signals | Mandatory hold until verified + secondary review | Payroll lead | Risk flag + review note |
T4 | First payroll after change | Run a post-run confirmation check (confirm deposit success where possible) | Payroll resolver | Confirmation note |
T5 | Employee reports missing pay after a change | Trigger incident workflow immediately | Payroll lead | Incident ticket/log |
Artifact Table C — Evidence pack requirements (audit-ready proof)
Evidence item | Minimum content | When required | Owner | Storage location |
E1 Request record | Who requested, what changed, date/time, channel | Every change | Intake owner | Evidence pack folder |
E2 Identity verification record | Method used, verification date/time, verifier name | Every change not done purely in verified self-service | Resolver | Evidence pack folder |
E3 Approval record (if applicable) | Approver, date/time, reason for exception or high-risk flag | High-risk or exception-to-policy | Payroll lead | Evidence pack folder |
E4 Effective date confirmation | Every change | Intake owner | Evidence pack folder | |
E5 Post-change confirmation note | Any confirmation performed + outcome | First payroll after change or any incident | Resolver | Evidence pack folder |
Related decision guide: Payroll Record Retention & Audit-Ready Evidence Pack
Artifact Table D — Escalation workflow (stop-the-line)
Trigger | Immediate action | Escalate to | Do not do | Evidence to retain |
S1 Suspicious request indicators | Do not process; place hold; verify via trusted method | Payroll lead + security/IT (as applicable) | Don’t reply in-thread confirming details | Incident log entry |
S2 Executive urgency request | Require secondary approval + verification | Payroll lead + HR lead | Don’t bypass process due to title | Approval + verification notes |
S3 Reported missing pay | Start incident workflow; validate change history; confirm deposit status | Payroll lead + finance (as needed) | Don’t promise timelines you can’t control | Investigation notes + outcomes |
S4 Multiple bank changes in short window | Freeze further changes until reviewed | Payroll lead | Don’t process repeated changes without review | Pattern review note |
S5 Access anomaly (unexpected admin change) | Suspend change ability; review audit trail | Payroll lead + IT/admin | Don’t assume it’s harmless | Access review record |
Get Your Free Payroll Software Matches
SelectSoftware Reviews Offers 1:1 Help From a Payroll Software Advisor. Get in touch to:
Decision drivers
Direct deposit controls should be calibrated to the realities that raise risk. This section tells you what to tighten when your environment changes so the control pack stays practical (not overbuilt).
Driver 1: Workforce distribution and remote work
Remote and distributed workforces increase identity and channel risk because:
payroll teams rely more on email and messaging
in-person verification is rare
urgency messages are harder to validate informally
Practical implication
Make out-of-band verification a Tier 1 control.
Require stronger hold rules near cutoff because verification time is constrained.
Driver 2: Who can change bank details (permission surface area)
Risk increases sharply when multiple admins can edit banking:
more potential for error
more potential for unauthorized change
lower visibility unless audit review is routine
Practical implication
Restrict executors.
Add a monthly audit trail review of bank changes and admin access.
Related decision guide: Payroll Change Control Playbook
Driver 3: Change volume (how often bank changes happen)
High change volume increases the chance that:
a risky request slips through
evidence isn’t captured consistently
cutoff discipline is bypassed to “keep up”
Practical implication
Standardize intake and evidence pack creation so it’s faster to do the right thing than to bypass it.
Use the T1/T2 hold rules consistently so urgency doesn’t become the default.
Driver 4: Cutoff timing and payroll cadence
Short payroll cycles and tight cutoffs reduce verification time.
Practical implication
Make timing rules explicit and employee-facing (“changes inside cutoff apply next cycle”).
Treat cutoff violations as process failures to correct, not heroic exceptions.
Driver 5: Organizational risk tolerance (trust cost of an error)
Direct deposit errors carry outsized trust damage. The “cost of mistake” is often:
employee hardship
reputation and retention risk
admin time for emergency fixes
potential fraud exposure
Practical implication
Even small teams should treat bank changes as high-risk events with minimum evidence standards.
Driver 6: Security posture and incident coordination
Payroll teams rarely own incident response. Risk is reduced when the escalation path is defined:
who to notify internally
how to preserve evidence
who controls access and holds
Practical implication
Keep the escalation workflow short and test it once (a tabletop exercise).
Switching triggers
In this guide, “switching triggers” are the signals that your current payroll tooling or process cannot safely support direct deposit changes—and you need to strengthen controls or reconsider your setup.
Trigger 1: Bank changes are processed via email or informal requests
If changes are routinely handled through email with no out-of-band verification, the system is unsafe by design.
Trigger 2: Multiple admins can change bank details without review
If executor access is broad and there’s no periodic review, you lack accountability and detection.
Trigger 3: Cutoff exceptions are common
If changes are frequently made inside cutoff windows, you’re operating in a high-risk mode every cycle.
Trigger 4: You’ve had a near-miss or an incident
A single near-miss should trigger immediate tightening:
mandatory verification
mandatory hold rules near cutoff
evidence packs required every time
escalation workflow tested
Trigger 5: High-volume workforce change (hiring surges, turnover)
Surges create more change requests and more noise, increasing the chance of social engineering success.
Failure modes
This section connects the pre-mortem to operating controls. These are the predictable ways teams fail even when they “know about fraud.”
Failure mode 1: Verification is “in the same thread”
Teams believe they verified, but they verified through a compromised channel.
Fix: Out-of-band verification is mandatory.
Failure mode 2: Urgency defeats policy
“Just this once” becomes routine, and controls collapse.
Fix: Urgency requires stricter verification, not looser controls (T2 rule).
Failure mode 3: Evidence is not retained
Even when the change is legitimate, missing evidence creates disputes and weakens incident response.
Fix: Evidence pack requirements (Table C) are mandatory.
Related decision guide: Payroll Record Retention & Audit-Ready Evidence Pack
Failure mode 4: Permission sprawl and no review
Too many admins + no review means changes can occur without detection.
Fix: Restrict executors; monthly review of bank change audit trail.
Failure mode 5: No stop-the-line culture
Suspicious requests are processed to avoid confrontation or delay.
Fix: Escalation workflow (Table D) plus leadership support that “stop-the-line” is the correct choice.
Migration considerations
Direct deposit risk often increases during transitions: new payroll provider, new HRIS, new identity workflows, or new admins.
Consideration 1: Preserve evidence outside the provider portal
During provider transitions, historical access may change. Treat evidence packs as a durable archive:
request records
verification notes
approvals
effective dates
incident logs (if any)
Related decision guide: Payroll Record Retention & Audit-Ready Evidence Pack
Consideration 2: Re-establish roles and access post-go-live
Implementation periods often grant broad admin access. If that access remains, risk stays elevated.
Plan an “access cleanup” milestone in the first 30 days after go-live.
Related decision guide: Payroll Hypercare-to-BAU Transition Playbook
Consideration 3: Align cutoff rules during cutover windows
During migration, teams are tempted to bend cutoffs to “keep things moving.” That increases risk.
Make cutover-window rules explicit:
changes apply next cycle unless verified early
emergency pathway requires approval + evidence pack
Consideration 4: Test the escalation workflow after go-live
After transition, run a quick tabletop test:
simulate a suspicious bank change request
confirm who gets notified
confirm who can place holds and restrict access
confirm where evidence is stored
Final recommendation summary
The safest direct deposit change process is not complicated. It’s consistent.
A practical, right-sized standard for most teams is:
Approved channels only (self-service or verified call-back workflow)
Out-of-band identity verification for any request not fully contained within a trusted self-service flow
Cutoff/hold rules that make “apply next cycle” the default near payroll deadlines
Evidence packs for every change so outcomes are defensible
Stop-the-line escalation when anything feels off
If you implement only those five components, you will materially reduce:
diversion/fraud risk
accidental misrouting
payday emergencies
administrative rework
employee trust damage
Related decision guide: Payroll Change Control Playbook
Related decision guide: Payroll Exception Handling SOP
Next steps if you’re ready to act
Define the approved channels and publish the rule (Week 1)
Decide how employees must submit bank changes
Document the alternate path (verified call-back workflow)
Communicate timing: “changes inside cutoff apply next cycle”
Implement verification and hold rules (Week 1–2)
Adopt the verification checklist (Table A)
Adopt cutoff/hold rules (Table B)
Define “high-risk signals” and require secondary review
Standardize the evidence pack (Week 2)
Create a consistent storage location
Require evidence pack completion for every change (Table C)
Spot-check a few recent bank changes for completeness
Lock down access (Week 2–3)
Restrict who can change bank details
Implement a monthly review of bank change audit trail
Document the escalation path if suspicious activity is detected
Run a quick tabletop incident test (Week 3–4)
Simulate a suspicious request
Confirm the stop-the-line escalation workflow (Table D)
Confirm who can place holds and restrict access
Confirm where evidence is stored
Related decision guide: Payroll Record Retention & Audit-Ready Evidence Pack
Related decision guide: Payroll Hypercare-to-BAU Transition Playbook
Get Your Free Payroll Software Matches
SelectSoftware Reviews Offers 1:1 Help From a Payroll Software Advisor. Get in touch to:
Q&A: Direct deposit fraud and payroll diversion prevention
Q1) What’s the most common way direct deposit fraud happens in payroll?
A bad actor gets a bank account change approved without proper verification—often through email compromise, impersonation, or weak self-service controls—so the next payroll diverts funds to the wrong account.
Q2) What’s the single highest-leverage control to prevent payroll diversion?
Treat bank account changes as a high-risk workflow: require identity verification, enforce a hold period or “effective date” discipline, and add a second review step (dual control) for changes close to payroll cutoff.
Q3) Should employees be allowed to change bank details in self-service?
They can be—but only if the process has strong verification and risk controls (authentication, step-up verification for changes, and clear logs). If you can’t reliably verify identity, restrict changes to a verified support path.
Q4) What should we do when a bank change is requested right before payroll runs?
Default to caution. Use a strict cutoff rule: either defer the change to the next cycle or require higher verification plus documented approval. Last-minute changes are a common incident pattern.
Q5) What evidence should we retain for bank account changes?
Keep proof of the request, verification steps performed, who approved it, the effective date used, and any employee confirmation. The goal is to reconstruct the decision fast if a dispute or incident occurs.
Q6) If diversion happens, what’s the first thing payroll should do?
Contain and document: freeze further changes, identify the impacted payroll(s) and employees, preserve audit logs and approval evidence, and start an incident checklist so recovery actions are consistent (recall attempts, employee communication, and corrective payroll decisions).
Get new payroll decision guides and operational checklists
Subscribe and receive the Payroll Provider Data Migration Field Map (editable spreadsheet)
Browse more guides
About the author
Ben Scott writes and maintains payroll decision guides for founders and operators. His work focuses on execution realities and how decisions hold up under growth, complexity, and controls and documentation pressure. He works hands-on in HR and leave-management roles that intersect with payroll-adjacent workflows such as benefits coordination, cutovers, and compliance-driven process controls.
