publishing date icon
July 30, 2021
read time icon
5 min. read

HR payroll phishing scam

Author image
Milla Viitala
Junior Threat Analyst
Post hero image

Table of contents

share this post

There's been a recent uptick in an HR payroll phishing scam. In it, email attacks impersonating employees ask for changes to their paycheck deposit information. The attacks usually target HR departments, or whoever is responsible for handling employee salaries. The scam aims to redirect payments to the scammer's account. Here’s one example:

HR Payroll phishing scam 1

The attack works almost like a spear phishing attack, with the email targeting a specific person. Notice how the email greeting uses the recipient’s first name, making the message feel more personal and legitimate.

The attacker impersonates a co-worker who, after noticing suspicious activity in their account, asks the payroll rep to change their bank deposit details. The attacker uses the name of the impersonated co-worker in the email ‘From’ field:

HR payroll phishing scam 2

A quick glance might make the payroll professional assume that the email was actually sent from a colleague. However, lazy scammers often use popular webmail services like Gmail, Outlook or Yahoo. Remember that any time an email with a “” or similar address lands in official work communications, red flags should be raised; those addresses are typically for personal emails, not professional.

Sometimes, employees do send work emails through their personal accounts. This practice boosts even bad scams' chances if it's considered standard operating procedure. For instance, if dashing out quick FYI messages from a personal email address outside working hours were a normal occurrence at this company, it would make them more susceptible to an otherwise obvious scam email from a address.

What to do if you receive an HR payroll phishing scam email like this from a co-worker

  • Check the sender address:
  • Is it coming from a company email?
  • Is it coming from a personal email? Personal = Red flag in a professional communications environment.
  • Is the name on the email address the same as the one written in the “from” field? Attackers often change the name in the from field but the email address shows a different name,e.g. From: Jane Doe <> this is because the same email address is used in multiple attacks so the attacker can only change the name in the “from” field for each attack.
  • Pay attention to language - does this person usually write like this?
  • Call the person or ask them face to face if they made the request before changing any personal details
  • Do not contact them via phone number or email address provided in the email!
  • Check the person's phone number from the company’s official internal channel
  • If you notice anything suspicious contact your IT department! It’s always better to be safe than sorry.

Explore more phishing examples

Hoxhunt response

Our Threat Analysis Team examines tens of thousands of reported phishing emails, including ones like these, a week–and have captured tens of millions of threats to date. They cluster the threats, rate them, and incorporate the nasty ones into our training simulations in real time to ensure our training stays at the cutting edge of the constantly-evolving threat landscape. Hoxhunt users are thus drilled on spotting and reporting the latest actual threats making the rounds, removing potentially catastrophic threats from your system with every push of the Hoxhunt reporting button. Read more to learn how to equip your employees with the awareness training that will protect your company from phishing scams.

Subscribe to All Things Human Risk

Subscribe to our newsletter for a curated digest of the latest news, articles, and resources on human risk and evolving phishing threats in the ever-changing landscape.

Hoxhunt needs the contact information you provide to us to contact you about our products and services. You may unsubscribe from these communications at anytime. For information on how to unsubscribe, as well as our privacy practices and commitment to protecting your privacy, check out our Privacy Policy.