Payroll scams are built around a simple weakness: people want to be helpful when money is owed. An employee says their bank changed. A contractor sends updated payment details. A manager asks for a reimbursement. A caregiver, club treasurer, synagogue office, church administrator, school volunteer, or small-business bookkeeper receives a note that looks routine. The message may not sound dramatic. It may sound like ordinary administration, which is why direct-deposit and bank-change requests deserve a verification routine before they become money movement.
Bank changes should not travel alone
A bank-change request is more than a message. It is an instruction to redirect value. That means the route should be stronger than the request itself. Email alone is weak because accounts can be compromised, display names can be spoofed, and old threads can be hijacked. A text alone is weak because numbers can be wrong, changed, or impersonated. A form alone is weak if the form link arrived inside the same unverified message. The safer routine separates the instruction from the confirmation route.
This is the same logic behind known-channel callback , but payroll needs an extra dose of patience because the person requesting the change may be someone you actually know. A real employee, contractor, vendor, or relative can still be impersonated. A real account can still be compromised. The familiar name is not the control. The control is a route that existed before the change request and a process that makes unusual movement visible before funds leave.
Ordinary tone can be part of the risk
Many people picture scams as frantic messages full of threats. Payroll and direct-deposit scams can be quieter. A note says, “Please update my account before the next pay run.” A contractor says the old account is closed. A board member asks for reimbursement to a new account. A manager appears to approve a one-time payment. A caregiver says a relative changed banks. Nothing needs to look like a movie scene. The request only needs to fit into a busy day.
That ordinary tone is why the pause should be procedural rather than emotional. You do not have to accuse anyone. You can say that all bank changes are confirmed through a separate route. The rule protects the requester as much as the payer. If the request is real, the confirmation is a small inconvenience. If it is false, the rule prevents a private message from rewriting where money goes.
Confirm the person and the instruction separately
A stronger check asks two questions. First, did the real person or organization make the request? Second, are these exact payment details the ones they intended to provide? It is possible to confirm the person but still mishandle the instruction if details are copied from the suspicious message. It is also possible to receive a real-looking form from a fake contact. Keep both questions visible.
Use a known phone number, prior secure portal, in-person conversation, internal directory, signed vendor process, existing payroll system, or another route that was not supplied by the message. If you call, do not use a new number from the request. If you email, do not simply reply to the suspicious thread. If the organization has a formal portal, use that portal through a saved bookmark or independently reached site. For small teams without formal systems, write down a simple rule: no new bank details are accepted until confirmed through an old route and recorded in the normal place.
Watch for pressure around timing
Payroll has natural deadlines, and impostors use that rhythm. A request may arrive just before a pay run, holiday, weekend, invoice deadline, grant deadline, event, closing date, or travel reimbursement. The message may say the old account will reject funds, the employee will miss rent, the vendor will charge penalties, or the contractor cannot continue work without immediate payment. These consequences can be real in legitimate administration. They also make the pressure script more effective.
The answer is not to ignore time-sensitive work. The answer is to make the verification faster than the scammer’s path, not weaker. A callback to a saved number, a secure portal note, or an in-person confirmation can be done quickly. If the person says every independent route is unavailable and the payment must move through the new details now, that is not a reason to skip the check. It is the reason the check exists.
Small organizations need visible handoffs
Small businesses, community groups, religious organizations, clubs, and family offices often run on trust and speed. One person knows the bank login. Another knows the vendor. A volunteer handles reimbursements. A bookkeeper handles payroll. That informality is useful until a message slips between roles. A false request can succeed because each person assumes someone else confirmed the change.
A visible handoff does not need to be complicated. The person receiving the request records it. A second person or known route confirms it. The payment details are entered only in the normal system. The change is noted with date, requester, confirmation route, and the person who made the update. This is not bureaucracy for its own sake. It is a memory aid for moments when everyone is busy and the message looks ordinary. The small business invoice and vendor impersonation guide covers a nearby pattern for invoices and vendor accounts; payroll deserves the same separation because both can redirect money through a convincing administrative story.
Do not let forms replace judgment
Forms can make a request feel controlled, but a form only helps if the process around it is trustworthy. A direct-deposit form attached to an email, a file-sharing link, an e-signature request, or a portal invite can be legitimate. It can also be a way to collect bank details, identity information, employee numbers, signatures, or credentials. If the form was unexpected, confirm why it was sent and where it should be completed. The document attachment and e-signature verification guide is the next step when the request is wrapped in paperwork.
Be cautious when a payroll message asks for passwords, one-time codes, remote access, payroll administrator credentials, banking login, identity documents, or screenshots of account pages. A bank-change request should not require someone to watch you log in or collect codes from your device. If credentials or codes were shared, move quickly to account recovery through a clean route and use the guidance in shared code, password, or account access .
If money already moved
If a payment was sent to changed details and the request now looks suspicious, do not continue negotiating with the same contact. Preserve the message, account details, payment confirmation, dates, names, phone numbers, email headers if available, and the route used for confirmation or approval. Contact the bank, payroll provider, payment platform, employer, vendor, or official support route as quickly as appropriate for the situation. The verification notes guide helps keep records useful without spreading sensitive financial or employee information.
This guide cannot promise recovery, and payment recovery depends on method, timing, provider, and facts. The practical move is to reduce additional exposure. Do not send a second payment to “correct” the first without independent confirmation. Do not give the supposed requester more information to prove what happened. Do not let embarrassment keep the issue private if an employer, employee, family member, bank, or provider needs to act.
Make the safe route normal
The strongest payroll routine is boring and known before anyone needs it. Everyone who can request or approve payment changes should know that bank details are confirmed outside the message, entered only through the normal system, and documented in one place. That rule should apply to executives, relatives, contractors, long-time employees, volunteers, and new hires. Exceptions are where impersonation hides.
Payroll trust should be personal enough to treat people well and procedural enough to protect their money. A real requester can tolerate a separate confirmation. A false requester usually needs the message, the timing, and the new account details to stay in one private line. Break that line. Confirm through known ground, keep records private, and let money move only after the person and the instruction have both been checked.
