The Payroll Scam That Begins on LinkedIn

A senior executive contact recently flagged a suspicious email about a pro bono advisor’s payroll details. The message used the advisor’s name and job title taken from a public LinkedIn profile, but it came from an unusual email and asked to change direct deposit information for an unpaid advisory role.

The inconsistencies were obvious to the organization: the email address was incorrect, the signature did not match prior correspondence, and was no payroll record to update. The firm treated the message as an attempted fraud, notified the relevant parties, and closed the loop.

Viewed against regulatory definitions, the attempt fits into business email compromise, or BEC, a family of schemes where criminals compromise email accounts or impersonate business contacts in order to misdirect payments or other things of value. In this case, the attacker tried to impersonate a trusted adviser to alter a payroll destination that does not exist.

Classifying The Scam: Payroll Diversion As Business Email Compromise

Payroll diversion, sometimes called direct deposit diversion, is a pattern where attackers pose as employees and attempt to redirect salary payments to bank accounts they control. FinCEN’s updated advisory on email compromise fraud defines email compromise as schemes in which criminals compromise email accounts or otherwise impersonate business contacts in order to send fraudulent payment instructions or transmit data used for financial fraud.

It describes business email compromise as the subset targeting organizational accounts and transactions. In the same advisory, FinCEN notes that BEC actors focus on vulnerabilities in business processes such as payment authorization, authentication and communication.

It highlights that government organizations have been targeted through accounts used for pension funds, payroll accounts and contracted services, with losses that can affect operations, employees and vendors according to the advisory from the Financial Crimes Enforcement Network.

The incident described matches this structure even though the consultant had no payroll profile in the system. An attacker appears to have harvested a name and title from LinkedIn, crafted familiar-looking email, and sent a request designed to trigger a routine payroll update. If the email had not been questioned, the next step would likely have been redirection of future payments to an attacker-controlled account.

From a classification standpoint, that combination of impersonation and a request to modify a payout route is best understood as payroll diversion fraud under the broader business email compromise category. The episode illustrates that attackers apply the same social engineering playbooks across organizations of all sizes and sectors.

How Big The Problem Is: BEC Losses In The Data

The FBI’s Internet Crime Complaint Center, or IC3, received 859,532 complaints in 2024 with reported losses of 16.6 billion dollars, according to the 2024 IC3 annual report from the Federal Bureau of Investigation. Within those complaints, business email compromise was associated with 21,442 reports and estimated losses of about 2.77 billion dollars, making BEC the second largest crime type by reported financial loss for that year.

Those figures capture only incidents that victims reported to IC3 and that fit the Bureau’s BEC definition. They do not include cases reported directly to local field offices or losses that organizations chose not to disclose externally, so the total exposure is almost certainly higher than the official numbers suggest.

FinCEN’s perspective, based on Bank Secrecy Act reporting from financial institutions, reinforces that scale. In its 2019 updated advisory on email compromise fraud, the bureau notes that since its 2016 BEC advisory it had received over 32,000 reports involving almost 9 billion dollars in attempted theft from BEC schemes affecting U.S. financial institutions and their customers.

It also observes continued growth in both monthly report volumes and attempted theft amounts. Survey data from the Association for Financial Professionals adds an operator’s view from treasury and payments teams. The 2025 AFP Payments Fraud and Control Survey, summarizing 2024 experience, reports that 79 percent of participating organizations were victims of payment fraud attacks or attempts.

Furthermore, 63 percent of respondents cited business email compromise as the number one avenue for those attempts.

Most of these statistics are framed at the level of institutions, transfers and aggregate dollars, but payroll diversion attempts also produce direct effects on workers. When such a scheme succeeds, employees can miss one or more pay cycles while HR and financial institutions investigate, and fraud recovery becomes harder as funds move through money mule accounts.

Because many near misses and internal fixes never reach law enforcement or survey instruments, the frequency of payroll-related episodes is likely undercounted relative to their impact.

How Public Career Data Enables Impersonation

LinkedIn and similar platforms encourage people to publish detailed job titles, reporting lines and project roles. FinCEN’s advisory notes that BEC actors study openly available information about targets and their business processes, including public websites, and then insert themselves into communications by impersonating a critical party in an existing relationship.

For payroll diversion, that research can be relatively simple. An attacker can search for employees or advisers with finance-related titles, identify executives or founders, derive plausible internal relationships and then craft messages that appear to come from those individuals. If a recipient recognizes the name and role from public materials, they may treat the email as legitimate even if the domain or address is different.

In organizations that rely heavily on email for operational workflows, new joiner onboarding and remote collaboration, staff may have limited direct contact with colleagues whose names appear in high-level requests. That makes it easier for an attacker to exploit display-name familiarity, especially when they write in neutral business language and reference real titles or projects taken from public profiles.

Even when formal forms or portals exist for payroll changes, email is often used as the trigger or as a channel to send attachments. A forged or compromised account can attach a completed form that appears to meet internal requirements, further reducing the chance that a rushed reviewer will question the request before submitting it to the payroll system or external provider.

The described case illustrates how a small set of public facts can be enough for an attacker to construct a persuasive narrative. The impersonator did not need access to an internal directory or HR system; the LinkedIn title and knowledge that the consultant worked with the company were sufficient to craft a plausible sounding payroll instruction.

Process Controls That Stop Payroll Diversion

FinCEN encourages financial institutions and their customers to assess how vulnerable their business processes are to compromise and to harden authentication, authorization and communication procedures around payments. It recommends multi-faceted transaction verification and training to recognize and avoid spear phishing, rather than relying solely on single-channel, email-based instructions.

For payroll operations, a straightforward starting point is to ban changes to salary or direct deposit details that are requested only by email. Instead, organizations can require that employees update bank information through a human resources or payroll portal protected with strong authentication and an auditable change history. Where self-service portals are not available, structured ticketing workflows with identity checks are safer than ad hoc email threads.

Out-of-band verification is a second critical layer. When a request would change where funds are sent, staff should confirm it using a channel and contact method already on file, such as a phone number in the HR system or a message to a verified internal collaboration account. Verification should never rely on phone numbers, email addresses or links supplied in the change request itself.

Dual control and short activation delays add further protection. Requiring two separate approvals, for example from HR and finance, makes it less likely that a single compromised inbox or inattentive reviewer can authorize a fraudulent change. A brief delay between approval and the first payment to a new account can create time for the real employee to notice confirmation messages and report any discrepancy.

Incident response planning matters as much as prevention. The IC3 report describes a Recovery Asset Team that works with financial institutions through a Financial Fraud Kill Chain process and notes that in 2024 it handled 3,020 complaints involving 848.4 million dollars in attempted theft, with hundreds of millions frozen for domestic and international cases.

Those outcomes depend on victims preserving email evidence, contacting their bank quickly and submitting a complaint to IC3 so that the freezing process can begin while funds are still within reach.

Email Authentication Requirements And Their Limits

Technical email authentication standards, particularly SPF, DKIM and DMARC, help validate that a message using a given domain actually comes from servers authorized to send on that domain’s behalf. Google’s email sender guidelines for Workspace administrators, for example, instruct senders to authenticate email with SPF and DKIM, align those mechanisms at the organizational level and publish DMARC policies so that receiving systems can decide how to treat unauthenticated messages.

These controls reduce classic spoofing where attackers forge the visible From domain while sending from unrelated infrastructure. When an organization has correctly configured DNS records and DMARC, many fraudulent messages that pretend to come from its domain can be rejected or quarantined before they reach user inboxes.

However, email authentication does not solve the entire impersonation problem. Attackers can register lookalike domains, use personal webmail addresses or compromise legitimate third-party accounts. Messages from such accounts can pass SPF and DKIM checks for their own domains even if they are being used for social engineering.

As the described incident shows, a recipient can still be misled if they focus on a familiar name and job title rather than the details of the address or the logic of the request. SPF, DKIM and DMARC are necessary to cut down noise and obvious spoofing, but process rules about which channels can initiate high-risk changes and how those changes are verified remain essential for preventing payroll diversion.

Stronger Identity Assurance And Verifiable Authorization

While email authentication focuses on where a message came from, high-risk workflows also need confidence about who is making a request and whether they are allowed to do so. NIST’s Special Publication 800-63-4, Digital Identity Guidelines, sets out a framework for digital identity proofing, authentication and federation, including assurance levels that agencies and organizations can apply when they decide how much evidence they need before permitting a sensitive transaction.

In that framework, a payroll change request can be treated as a high-risk event that requires stronger authentication and better evidence of authorization than routine communications. One emerging approach is to rely on verifiable, cryptographically signed credentials that represent facts about a person or role, such as that a given identifier belongs to an employee in a specific department or that a particular account is authorized to approve certain categories of payment changes.

Under this model, a request to change salary banking details would need to carry a cryptographic proof that it originated from an account bound to the employee’s verified identity and that it passed policy checks inside the organization’s identity and access management system. Verification can be automated on the receiving side, reducing the risk that staff will bypass checks under time pressure or rely only on visual familiarity with a sender name.

Distributed identity and provenance networks, including protocols such as Accumulate that focus on auditable identity trails, aim to provide shared, append-only records of who is authorized to do what across organizational boundaries. In principle, such infrastructure can support signed, machine-checkable assertions about roles and delegations that travel with messages.

These approaches do not eliminate the need for training, escalation paths or traditional controls like dual approval. Instead, they offer a way to encode and verify authorization rules more systematically, drawing on the assurance concepts in NIST’s guidance to align technical mechanisms with the actual risk level of different actions.

Practical Steps For Firms And Workers

For organizations, the most important safeguards against payroll diversion are procedural and can be implemented regardless of sector or technology stack. Updating policies so that payroll and vendor banking changes never proceed based solely on email, defining clear verification steps using contact information already on file and enforcing dual approvals for significant changes will block many of the scenarios seen in regulatory case studies.

Technical measures should support those process rules rather than replace them. Security and IT teams can ensure that the organization’s sending domains use SPF, DKIM and DMARC correctly, review DMARC reports for signs of abuse, and configure email clients or gateways to flag external messages that use internal names or resemble important internal domains.

Regular awareness training can help payroll, HR and finance staff recognize red flags such as urgent tone, unexpected requests to bypass normal workflows or subtle changes in sender addresses.

Individual workers also have a role in reducing the attack surface. Limiting the amount of contact information published on public profiles, periodically reviewing which roles and projects are listed and being explicit about official communication channels for financial matters can all make it slightly harder for attackers to construct convincing lures.

Employees should also monitor pay statements and raise immediate alerts if an expected deposit is missing or if they receive confirmation notices for changes they did not initiate.

The incident described by industry contacts demonstrates that attentive recipients and basic skepticism about unusual requests can prevent losses even when attackers make use of accurate public information. As business email compromise continues to generate large reported losses in official statistics and in industry surveys, moving from informal email workflows to authenticated, verifiable and well-documented processes will be a key step for organizations that want to protect both their balance sheets and their staff.

Sources

• Federal Bureau of Investigation, Internet Crime Complaint Center. "2024 IC3 Annual Report." Federal Bureau of Investigation, 2024.
• Financial Crimes Enforcement Network (FinCEN). "Updated Advisory on Email Compromise Fraud Schemes Targeting Vulnerable Business Processes." U.S. Department of the Treasury, 2019.
• Association for Financial Professionals. "2025 AFP Payments Fraud and Control Survey Report." Association for Financial Professionals, 2025.
• Temoshok, D. et al. "NIST Special Publication 800-63-4: Digital Identity Guidelines." National Institute of Standards and Technology, 2025.
• Google. "Email sender guidelines." Google, 2024.