THE EMAIL THAT STOLE SOMEONE'S PAYCHECK
Learn how payroll diversion scams work and the simple Callback Rule that stops them. A 90-second phone call can prevent a $137K loss.
Last month, an HR manager at a 50 person company received an email from "Jennifer in accounting."
Jennifer wanted to update her direct deposit information.
New bank. New routing number. Please process before Friday's payroll.
The HR manager made the change. Jennifer's next paycheck went straight to a scammer's account.
This is a payroll diversion scam. And it's happening constantly.
What makes these scams so effective
According to recent data, business email compromise attacks cost organizations an average of $137,000 per incident. Payroll diversion is one of the fastest growing versions of this fraud.
Here's why it works: the email looks completely normal. No suspicious links. No weird attachments. Just a simple request from a "coworker."
The scammer has done their homework. They know Jennifer's name. They know how your company formats emails. They might have even scraped LinkedIn to figure out who handles payroll.
And they're betting you're too busy to double check.
The callback rule
Before changing any employee's banking information, pick up the phone.
Call the employee directly using a number you already have on file.
Not the number in the email. Not a number they "helpfully" provide.
The number from your HR system.
This takes 90 seconds. It stops 100% of these scams.
Scammers count on you being too busy to verify. They're betting you'll just process the request.
Don't give them that bet.
Why this matters for small businesses
Large enterprises have dedicated security teams and multi-step approval processes. Small businesses and nonprofits often don't.
That makes you a target.
The good news? You don't need a security team to implement the Callback Rule. You just need a policy and the discipline to follow it.
Your one thing today
Talk to whoever handles payroll at your company. Ask them: "What's our verification process when someone requests a banking change?"
If the answer is "we just do it," you have a problem worth fixing this afternoon.
Create a simple policy: all direct deposit changes require verbal confirmation via a known phone number. Write it down. Share it with your team. Make it non-negotiable.
90 seconds of verification beats explaining to an employee why their paycheck vanished.
Ṣọ Email Security helps freelancers, nonprofits, and small businesses detect email threats before they cause damage. Learn more about how we protect your inbox.