Okta’s threat intelligence identifies payroll diversion fraud as one of the fastest-growing cybercrime categories targeting businesses, and the reason it is growing is the same reason it is difficult to catch: it does not look like a cyberattack. No systems are locked, no data is visibly exfiltrated, and no alerts fire. An attacker calls or emails the help desk, impersonates an employee, requests a direct deposit change, and waits for the next payroll cycle to deposit someone else’s paycheck into an account they control. By the time the legitimate employee reports missing pay, the money is gone, and the recovery process is slow. The attacks concentrate around bonus cycles and holiday payroll runs, when support teams are busier, verification steps get compressed under time pressure, and the dollar amounts being redirected are larger than a standard paycheck.
Understanding how these attacks move through an organization’s existing processes, rather than around them, is what produces the procedural controls that actually stop them.
Why Payroll Is the Target That Keeps Delivering
Cybercriminals operate on risk-adjusted return calculations, and payroll diversion fraud scores well on every relevant variable. The potential payout is predictable and recurring. The attack method requires no technical sophistication, no malware deployment, and no penetration of hardened systems. The window between a successful attack and discovery can span multiple payroll cycles if the targeted employee does not immediately notice or report the discrepancy. And the evidence trail that investigators work with after the fact is thin, because the attacker never touched the organization’s systems directly.
The information required to impersonate an employee convincingly is available without any specialized access. A LinkedIn profile provides name, title, employer, and often enough detail about role and tenure to construct a credible story. Data breach repositories that are freely traded in criminal markets contain email addresses, phone numbers, and sometimes answers to the security questions that identity verification processes rely on. An attacker who spends twenty minutes assembling a profile on a target employee before calling the help desk arrives at that call with enough personal detail to answer verification questions, explain why they need urgent assistance, and sound exactly like the person they are claiming to be.
The urgency framing that makes these calls effective is not invented. It reflects the actual circumstances of the holiday bonus period, when employees genuinely are asking about payment timing, access to benefits portals, and account updates before payroll runs. A help desk that processes dozens of similar requests during peak periods is the environment where a fraudulent request is hardest to distinguish from a legitimate one, which is precisely when attackers choose to make them.
How the Attack Moves Through Processes That Were Designed to Be Helpful
The social engineering that enables payroll diversion fraud does not defeat security processes by finding technical vulnerabilities in them. It defeats them by exploiting the gap between what verification procedures require and what support staff actually do when a caller presents a plausible story under time pressure.
Standard identity verification for help desk requests typically involves confirming information the employee should know, their employee ID, their manager’s name, the last four digits of their Social Security number, and the answers to security questions they set up during onboarding. Each of those data points is either available through public sources, obtainable from breach data, or guessable with modest research effort. A caller who has done that research answers the verification questions correctly, which signals to the support staff member that the verification has succeeded, even though the information confirmed was not actually secret.
The direct deposit change request that follows the successful identity verification passes through the payroll system as a legitimate authorized change, because from the system’s perspective, it is one. It was submitted through the proper channel by someone who passed the verification process. Nothing in the transaction record indicates that the person who made the request was not the employee whose account is being modified. The fraud is invisible in the system logs because it was executed through the system rather than around it.
Why the Period Around Bonus Cycles Multiplies the Risk
The concentration of payroll diversion attacks around bonus cycles and holiday payroll runs is not coincidental. It reflects a deliberate calculation about when the combination of higher payout and reduced verification creates the most favorable conditions for this specific attack.
A redirected regular paycheck represents the employee’s standard compensation. A redirected holiday bonus on top of a regular paycheck, or a redirected year-end commission payment, represents a multiple of that amount from a single successful attack. Attackers who have identified high-earning employees as targets and prepared their impersonation materials wait for the payroll period when the amount in motion justifies the effort and when the conditions for successful social engineering are at their peak.
Those conditions converge at the end of the year in ways that are predictable enough to plan around. Support teams handling elevated request volume during a period when staff may themselves be managing holiday schedules and partial team availability are the teams most likely to compress verification steps in the interest of processing requests efficiently. The organizational awareness that would ordinarily make an unusual request stand out is distributed across a period of general busyness that provides cover for a fraudulent request to look like one more item in a long queue.
The Process Controls That Close the Gap Technology Leaves Open
Firewalls, endpoint protection, and intrusion detection systems do not protect against an attack that never touches the network perimeter. The controls that work against payroll diversion fraud are procedural, and they are inexpensive to implement relative to the exposure they eliminate.
Requiring multi-step verification for any payroll or direct deposit change means that a single successful social engineering call cannot complete the attack. A callback to the employee’s verified phone number on file, a confirmation email to the address the organization holds rather than one provided by the caller, or a secondary approval from the employee’s manager introduces a verification step that the attacker cannot pass by impersonating the employee, because completing it requires access to the actual employee’s communication channels.
Separating the approval authority for payroll changes so that no single staff member can authorize a direct deposit modification without a secondary review removes the single point of failure that the social engineering targets. An attacker who successfully manipulates one support staff member into approving a change still needs that change to clear a second review, which requires either a second successful manipulation or access to a channel the attacker does not control.
Implementing a waiting period before direct deposit changes take effect ahead of major payroll runs creates a review window that does not exist when changes are applied immediately. A change submitted three days before a bonus payroll run that does not take effect until the following cycle gives the organization time to notice the modification and verify it with the employee directly before any money moves.
Training HR and help desk staff specifically on the social engineering patterns that payroll diversion attacks use, rather than on general phishing awareness, equips the people at the verification point with the specific recognition capability the attack requires them to lack. A support staff member who knows that urgent direct deposit change requests arriving near payroll cycles are a documented attack pattern approaches those requests with a different level of scrutiny than one who has only been trained to watch for suspicious emails. The attack succeeds at the human verification step. Improving that step is where the protection actually lives.