HR teams sit on a goldmine of employee PII, banking details, tax forms, and access to benefits. Attackers know this—and they’re leaning hard into increasingly sophisticated scams that exploit human trust and process gaps. In recent years, payroll fraud and identity theft schemes targeting HR and payroll workflows—from direct deposit hijacking to executive impersonation scams—have surged in frequency and complexity.
The Direct Deposit Deception
Payroll diversion fraud typically starts with impersonation: a spoofed employee email, hijacked account, or a convincing “I got a new bank account—can you update ASAP?” message. The goal is simple—reroute paychecks to attacker-controlled accounts before anyone notices. Remote work, outsourced payroll, and self-service portals can speed up legitimate changes, but also fraudulent ones if verification is weak.
What can help:
- Require out-of-band verification (call-back to a known number, not the email signature.
- Add a cooling-off period for bank changes (e.g., changes take effect next pay cycle).
- Trigger instant alerts to employees when direct deposit info is edited.
Executive Impersonation and the W-2 Data Trap
This scam is a classic because it works. A criminal spoofs an executive (or compromises their mailbox) and emails HR/payroll: “Send me all employee W-2s” or “I need the full employee list with SSNs.” The IRS specifically warns businesses about this scam pattern and notes it’s commonly tied to BEC-style spoofing.
Once attackers have W-2 data, the damage multiplies: fraudulent tax filings, account takeovers, and long-tail identity theft that lands back on your HR team as employees scramble to recover.
If you encounter this, the IRS advises reporting and provides steps for “W-2 data loss” incidents (including emailing their data loss address).
Benefits and Enrollment Abuse
Benefits systems are another high-value target: open enrollment windows, dependent add-ons, and life event changes can be abused through stolen credentials or fake documentation. On a broader benefits-adjacent front, watchdog reporting highlighted significant growth in improper/fraudulent health plan enrollments in 2025—an indicator of how aggressively criminals (and bad actors in the ecosystem) chase coverage and payouts.
Practical safeguards:
- Enforce MFA on HRIS/benefits portals (prefer phishing-resistant options where feasible).
- Use risk-based step-up checks for high-impact actions (new dependents, beneficiary changes).
- Implement dependent eligibility verification and documentation audits.
A Simple HR Fraud Playbook That Actually Works
- Treat HR like Finance: same rigor, approvals, and verification—because the money and data are there.
- Harden the workflow, not just the tech: written policies like “no W-2s by email, ever.”
- Run targeted training before tax season and open enrollment: the IRS Dirty Dozen scam messaging is a useful annual trigger for internal refreshers.
- Log, alert, and rehearse: know who investigates, who communicates, and how you support impacted employees.
For HR professionals and business leaders, all of this means being vigilant isn’t optional—it’s essential. Payroll diversion, W-2 data theft, and benefits fraud are no longer isolated incidents; they are part of a rapidly evolving threat landscape that demands both awareness and action.
LibertyID Business Solutions provides customer WISP protocols, advanced information security employee training, third-party vendor management tools, and post-breach regulatory response and notification services. This allows businesses to improve the safeguards surrounding their consumers’ private data and head toward a compliant posture in relation to the federal FTC and often overlooked state regulations. Along with the components mentioned, LibertyID Business Solutions includes our gold-standard identity fraud restoration management services for employees and their families.