FBI and IRS Warn of Potential Direct Deposit Phishing Scheme

February 07, 2018

FBI and IRS have recently issued releases warning Employers about a potential security threat targeting Direct Deposits received by employees.

FBI and IRS have recently issued releases warning Employers about a potential security threat targeting Direct Deposits received by employees and taxpayers.  Employees who use a self-service portal to update their personal information, such as bank routing and account numbers, are particularly vulnerable to this scam.

Employers that pay wages using direct deposit should consider warning their employees about this threat.

How the Employees Direct Deposit Scam Works 

The FBI warns that Fraudsters are targeting employees by impersonating their Employers’ Human Resources department by sending request via e-mail to update direct deposit information.  The employee is then redirected to a false site impersonating the self- service portal where employees are prompted to enter identifying information that can be used to update their direct deposit information.  The appearance of the site and branding is identical to the employer’s Self Service Portal.

Hackers have also sent e-mails to employees’ impersonating the Payroll Service Provider and requesting information to update log-in credentials, the thieves then use those log-in credentials to change their direct deposit instructions.

News sources report that employees of public school districts in Colorado, Georgia, and Massachusetts have recently fallen victim to this scam costing employers thousands of dollars in replacement wages

A representative of the National Automated Clearing House Association (NACHA) declined to comment on the matter, but directed interested persons to view its website for general information on electronic payment security. For more information go to:

Steps Employers Can Take to Protect the Workforce  

  •  Employers should warn employees to watch for phishing attacks and suspicious malware links. Employees should be directed to check the actual e-mail address, rather than just looking at the subject line to verify that the email came from their employer. Some Fraudsters use Site addresses that are similar to the legitimate site. For Example: as opposed to or as opposed to
  •  Employees should also be told to not reply to any suspicious looking email; instead have them forward the email to a company security contact.
  •  Employer self-service platforms should have a two-step authentication process requiring users to enter a second password that is e-mailed to them or to use a hard token code.
  •  Companies may want to set a time delay between the changing of direct deposit information in the self-service portal and the actual deposit of funds into the new account to decrease the chance of the theft of wages.

IRS Warns of Another Direct Deposit Scam Involving Tax Refunds

The IRS also issued an alert about a similar scam involving Direct Deposit Tax Refunds.

How the IRS Scam Works

Cybercriminals that steal data from several tax practitioners’ computers and file fraudulent tax returns are using taxpayers’ real bank accounts for the direct deposit of the fraudulent federal tax refund.

A woman posing as a debt collection agency official contacts the taxpayer inform them a refund was deposited in error and asked the taxpayers to forward the money to her.

The IRS is currently investigating steps to prevent the scam but also recommends that the following basic steps be taken:

  •  Educate all employees generally about phishing and spear phishing (Phishing is the practice of soliciting identity data through false website or e-mails- Spear Phishing is a more targeted form using trusted aliases such as an employer, family member, or financial institution already known by the victim)
  •  Use strong, unique passwords or a phrase instead of a word, composed of a mix of letters, numbers and special characters, for each circumstance or account.
  •  Never take an email from a familiar source at face value. If the email asks the receiver to open a link or attachment, or includes a threat to close their account, think twice.
  •  If an email contains a link, the IRS recommends that you hover your cursor over the link to see the web address (URL) destination. If it’s not a recognized URL or if it’s an abbreviated URL, don’t open it. (See above examples)
  •  Contact the referenced individual or department by telephone to get a verbal confirmation that they are the sender of the email.
  •  Use security software to help defend against malware, viruses and known phishing sites and update the software automatically.
  •  Send suspicious tax-related phishing emails to

Other Resources

  •  The Federal Trade Commission (FTC) also provides information for companies on how to keep their employees’ personal information secure. See for more information.
  •  The US Secret Service also takes an active role in safeguarding the payment and financial systems of the US from financial and computer-based crimes. Employers that have fallen victim to these crimes may report them here

Thank you for choosing Paylocity as your Payroll Tax partner. Should you have any questions please contact your Paylocity Account Manager.

 This information is provided as a courtesy, may change and is not intended as legal or tax guidance. Employers with questions or concerns outside the scope of a Payroll Service Provider are encouraged to seek the advice of a qualified CPA, Tax Attorney or Advisor.