Skip to main content

«  View All Posts

How to Avoid Direct Deposit Scams

August 4th, 2023 | 3 min. read

By TJ Noa

Your payroll deadline is 30 minutes out. You are almost finished getting everything in when you see an email from your hardest-working employee asking for you to change their direct deposit account information. In the email, they say their upcoming check MUST go to the new account. Eager to appease them, and under the pressure of time, you make the change and submit payroll with only a couple minutes to spare. The problem won’t come to light until later, but your hardest working employee is about to have their check sent to a cyber-criminal. And you are going to have to pay out their wages twice, if the funds can’t be recouped.  

As direct deposit became the standard way for employers to pay employees, cyber-criminals saw an opportunity to get money sent to them easily and regularly. As long as they moved the funds to a new account, employers would not be able to reverse ACH them back. All they needed to do was impersonate an employee and ask for a direct deposit change. Small businesses that do not have a security protocol in place are particularly vulnerable to these attacks. Any business that falls victim to these attacks will suffer not only the financial burden, but will also sow seeds of distrust and discord between employees and employer. Fortunately, there are three different protocols that are simple to implement to prevent being victimized by these attacks. To have the most security possible, it is advisable to implement at least two of these protocols: Employee Agency, Confirmation through a different Medium, or an ACH Update request form.  

Empower your employees to take charge of direct deposit

One protocol you can use to prevent this scam is by pushing the responsibility of making Direct Deposit changes onto the employees. Many outsourced payroll companies allow your employees to login to a payroll portal to update personal information, which includes their direct deposit information. When you implement this system, any requests for a change in direct deposit can be answered with instructions on how to find the update screen in the portal, so that the employees can complete the update on their own. Be careful not to give out information that a cybercriminal could use to make accessing the employee portal easier for them. The easiest way to ensure that you don’t make these instructions too public is to provide the instructions while implementing the second protocol. 

Want to learn more about how a payroll software with an Employee Self-Service can make your operations more efficient? Check out this article 

Use a phone call as an added confirmation

This one is simple. If your employee emails you to make a direct deposit change, give them a call to confirm that it is really them. If you want them to be able to make the change on their own, walk them through making the change on the phone. If you have an internal communication system for your company, use that to send a PDF of instructions on how to complete the change. If you do not want your employees to be making these changes on their own, make sure to confirm the account number and the routing number through a different medium. Think of this as a manual two-factor authentication step. You can never be 100% sure that your employee is the one communicating this request until you hear it from two verified mediums. And the third and final protocol can easily be one of those mediums that you use as confirmation.  

[fl_builder_insert_layout id=9297]

Return the ACH Update form IN PERSON

The best way to ensure that your employee is the one making the request is to have a form that they must fill out and give to you physically and in person. This way, you know that the request is coming from the employee because they literally handed the company-specific direct deposit change form directly to you. Given the existence of remote work and the often time-sensitive need for direct deposit changes, this solution is not always the most practical to implement. But there are workarounds. Receiving an image of a PDF signed request can be one of the mediums that you use to make sure that the update is legitimate. Try your best to have the form be accessible to your employees, so that you are not sending the form to them as an email attachment. If it is just an attachment, cybercriminals will be more likely to find it and simply fill out the form you emailed the employee account.  

Whichever protocols you choose to implement, make sure your team knows about them and knows they are in place to keep their money safe. Yes, it is inconvenient to fill out a physical form and call your employer to make a change, but convenience comes at the cost of security. There is no better way to show that you care about your employees than investing in the security of their paycheck. 

Have a lot of remote workers? Your cybersecurity can get complicated fast. Check out this article about how to make sure you’re protecting your business with a remote workforce.