Trustwave SpiderLabs Uncovers Ov3r_Stealer Malware Spread via Phishing and Facebook Advertising. Learn More

Trustwave SpiderLabs Uncovers Ov3r_Stealer Malware Spread via Phishing and Facebook Advertising. Learn More

Managed Detection & Response

Eliminate active threats with 24/7 threat detection, investigation, and response.

Co-Managed SOC (SIEM)

Maximize your SIEM investment, stop alert fatigue, and enhance your team with hybrid security operations support.

Advisory & Diagnostics

Advance your cybersecurity program and get expert guidance where you need it most.

Penetration Testing

Test your physical locations and IT infrastructure to shore up weaknesses before exploitation.

Database Security

Prevent unauthorized access and exceed compliance requirements.

Email Security

Stop email threats others miss and secure your organization against the #1 ransomware attack vector.

Digital Forensics & Incident Response

Prepare for the inevitable with 24/7 global breach response in-region and available on-site.

Firewall & Technology Management

Mitigate risk of a cyberattack with 24/7 incident and health monitoring and the latest threat intelligence.

Microsoft Exchange Server Attacks
Stay protected against emerging threats
Rapidly Secure New Environments
Security for rapid response situations
Securing the Cloud
Safely navigate and stay protected
Securing the IoT Landscape
Test, monitor and secure network objects
Why Trustwave
About Us
Awards and Accolades
Trustwave SpiderLabs Team
Trustwave Fusion Security Operations Platform
Trustwave Security Colony
Technology Alliance Partners
Key alliances who align and support our ecosystem of security offerings
Trustwave PartnerOne Program
Join forces with Trustwave to protect against the most advance cybersecurity threats
SpiderLabs Blog

BEC Payroll Scam: Your Salary is Mine!

Con men have been exploiting human psychology since the dawn of time. Equipped with the capabilities of the digital age they now have the means to launch voluminous lucrative con schemes at a global scale. Business email compromise (BEC) or whaling is one such targeted scheme where the con men send the target an email message purporting to be from the company’s CEO or executive demanding a wire transfer. To appear legitimate, the messages often forge the sender’s address on the From: line and direct replies to a separate Reply-To: address controlled by the scammers.

We’ve written several times over the past few years about business email compromise (BEC) and how it has become a leading financial threat to any organization. More recently, a BEC variation has emerged that is becoming quite prevalent. This variation is known as a “Payroll Scam” and is the subject of this blog.

The Plot

Imagine the pain of not getting paid on your payday, that pain quickly shifts to agony, anguish, torture and suffering when you learn that the payroll department of your company transferred your salary to a new bank account on your request – a request you never made!

In Payroll scams, cybercriminals target individuals in an organization’s HR department, Payroll department, Finance department or direct line managers with the goal to con them into transferring their employee’s salary into accounts controlled by the scammers. The targets are sent spoofed email messages purporting to be from the company’s CEO, executives or employees requesting to change their direct deposit payroll account. The unsuspecting targets, usually payroll or HR staff, change the account leading to successful salary transfer for the scammers. It often takes one or two missing salaries before the unaware victim realizes and reports the matter to the authorities.

To make the scam a success, cybercriminals continue with the tactics learned from general BEC wire transfer scams. These tactics include:

  • Using a legit employee’s name and spoofed email in the From field, while using a newly created email address, often created with free email hosting service providers, in the Reply-To field.
  • Using a legit employee’s name and fake email in the From and Reply-to fields. The fake email address is often created with free email hosting service providers.
  • Using a legit employee’s name in the From display name field, while using a fake email address in the From email address part.
  • The email address used by the scammers in the From or Reply-To fields is often created using free email services. Sometimes these email addresses use recently registered domains that are controlled by the scammers.


Example messages:

After analyzing numerous Payroll scam messages, we have categorized them as follows:

  • Messages sent from CEO to Payroll Manager
  • Employee to Payroll Manager
  • Employee to HR Manager
  • Employee to direct line manager

Before launching the attack, the cybercriminals perform the necessary reconnaissance against a target organization and identify individuals in HR, Payroll, Finance or direct line managers that have the power to change an employee’s payroll account. This involves searching for such titles on the company’s website, googling for similar titles or searching on professional public networks like LinkedIn helps identify the right targets. Once the targets are identified, the attack is launched. Here are some anonymized examples of the initial lure messages as seen in the field:

Messages sent from CEO to Payroll Manager

This category is the most widely used among all scam messages seen. The general theme is that the CEO of the company is sending an email message to the company’s payroll manager demanding a change to the payroll direct deposit account, this is followed by a demand for urgency in handling the request. The CEO’s name is used in the From field display name part to appear as legit, with common subject lines like “Payroll Update”, “Payroll Request” and “Change Payroll” etc.



Sometimes additional phrases are used to stress on the urgency of the matter. In the example below the scammers are warning that the previous bank account will become inactive in 30 days.



Executive/Employee to Payroll Manager

With many companies using rules to scrutinize external emails from CEOs, the more careful attackers avoid using the CEO’s name and, in the process, increase their success rate by impersonating the company’s executives (VPs, Directors) instead. The names and titles of the executives are often available on the company website or could be harvested from the corresponding LinkedIn profiles.

The scam follows the similar message template with the exception that the order turns into a request to the Payroll department to update the direct deposit information for the employee or executives salary/wage account. Similarly, instead of demanding urgency, they resort to more polite statements such as “please assist”, “please advise” and “kindly help” etc. This makes it more appropriate for a persona of an employee sending a request to the Payroll department, instead of the CEO boss demanding completion of a task. Some screenshots of such messages are shown here:






Executive/Employee to HR Manager

This scam is very similar to the previous category. The only difference is that the target is the HR Manager instead of the Payroll Manager. Again, the scammers carefully study the organization and determine the roles of HR. In some organizations, HR has authority to perform the payroll account changes for employees. In others, this role comes under Payroll or Finance department only; hence, in that case  HR would serve as a proxy for the scammers in forwarding the request to the payroll manager without raising any suspicion.




Employee to Direct line manager

This is yet again a very cunning variation of the scam. This time the target is the direct line manager of an employee, in effect using the line manager as the proxy to talk to the payroll department in getting the change made. In this scam, the scammers study whom the line manager of an employee is and send the Payroll change request to the line manager impersonating the employee.


Payroll Scam Stats

Here are some interesting trends seen in Payroll scams

  • Most (around 95%) of the email address used by the Payroll scammers in the From or Reply-To fields are created using free email services such as Gmail, AOL, TWC/RoadRunner, Lycos, Cox, Outlook and etc. The email service used to carry out the attack varies from campaign to campaign and probably depends on the preference of the scammers. Around 5% of emails use custom domains registered by scammers.
  • Common Subject lines used across most of these messages include: “Direct Deposit change”, “Payroll update”, “DD update”, “Request”, “Account Update”, “Quick response”, “Change bank info”, “Available”.
  • Common phrases used in the body of most messages include: “Change my payroll direct deposit” and “Update my bank details for my monthly salary”.


Cybercriminals are leveraging social engineering techniques to trick employees in an organization. Fraud tactics continue to evolve with payroll fraud being a new weapon in the arsenal of the BEC scammers. Payroll scams are carried out by scammers who send fake email messages impersonating an executive or an employee of an organization to deceive trusted managers in the HR and Payroll departments, requesting them to change the employee’s payroll bank account to that controlled by the scammer. These actions lead to monetary loss and irritated employees.

BEC Fraud is increasingly big business for the scammers. Organizations have deeper pockets than individuals, and the scam preys on the willingness of employees to trust emails that are purportedly coming from executives or employees within the organization. The number of scammers jumping on this bandwagon has increased markedly, as it has proven lucrative for them.

The BEC scammers continue to evolve their techniques to further their objectives. We have witnessed an increase in BEC attacks that are now targeting all organizations big or small across different industry sectors. The menace of BEC is very real and is costing businesses real money.


Note for SEG Customers

Trustwave Secure Email Gateway (SEG) and SEG Cloud customers have a range of features available to them to help counteract BEC Fraud, including rules and specialized filters that are aimed squarely at the unique nature of BEC scams. It's a complex area and to help explain it we have produced a couple of in-depth documents that provide considerable background details and configuration options. These details are included in our BEC Fraud Protection Guides, which are available in the documentation area of the website (customer login required). The SEG Cloud guide can be found here.

Latest SpiderLabs Blogs

Breakdown of Tycoon Phishing-as-a-Service System

Just weeks after Trustwave SpiderLabs reported on the Greatness phishing-as-a-service (PaaS) framework, SpiderLabs’ Email Security team is tracking another PaaS called Tycoon Group.

Read More

Physical Address Strangeness in Spam

Ten years ago, Congress passed the "CAN-SPAM Act" (also known as theYou-CAN-SPAM Act, since it defined legal spam and supersedes any stricter state-antispam laws). One of the provisions of the act is...

Read More

Trustwave SpiderLabs Uncovers Ov3r_Stealer Malware Spread via Phishing and Facebook Advertising

During an Advanced Continual Threat Hunt (ACTH) investigation that took place in early December 2023, Trustwave SpiderLabs discovered Ov3r_Stealer, an infostealer distributed using Facebook...

Read More