Resource Corner

How to Prevent Direct Deposit Phishing Scams

Learn how to protect you and your business against direct deposit phishing scams.

woman holding phone with lock screen

A direct deposit phishing scheme is aimed at employers that use self-service direct deposit platforms. These platforms allow employees to manage their payroll options, so the platforms contain personally identifiable information (PII) as well as direct deposit banking data. 

According to the FBI, the scam begins with a phishing campaign targeting individual employees. It’s a variation of sorts on the business email compromise, in which fraudsters impersonate a trusted person or a person of authority to get the victim to perform a certain action. This can include the trusted authority of the human resources department or an HR vendor. The email directs the employee to perform what may feel like a common transaction, like confirming a direct deposit account, viewing changes to the account, etc.

The goal is to get you to reveal login credentials to the fraudster, who can then use those credentials to steal PII as well as redirect the employee’s deposit to another account. One of the first things the fraudster will do is change your contact email, so that you don’t receive an alert. Here are a few tips on how you can protect yourself from these types of scams:

  • Implement two-step or multi-factor verification for HR/payroll platforms.

  • Require IT administrators to monitor unusual activity, such as a large number of accounts having contact and banking info changed over a short period.

  • Have a policy of temporarily reverting to a paper check after a change to banking information.

  • Ensure payroll login credentials are different from credentials used for other purposes.

  • Set up alerts on self-service platforms for administrators so that unusual activity may be caught before money is lost. Alerts may include for when banking information is changed to online bank accounts typically used by fraudsters.

  • Alert employees about the scam.

  • Train employees to watch for phishing attacks and suspicious malware links. Checking the actual e-mail address rather than just looking at the display name can be crucial to spotting the attack early.

  • Set a time delay between when direct deposit information is changed in the self-service portal and the actual deposit of funds into the new account to decrease the chance of the theft of funds.
BankUnited invests in security technology, tools and services to protect your accounts and your personal information.


All content is for informational purposes only and does not constitute legal, tax, or accounting advice. You should consult your legal and tax or accounting advisors before making any financial decisions.