Payroll direct-deposit account-change BEC — attacker impersonates an employee emailing HR or payroll to redirect the next paycheck to a mule account; FBI IC3 2024: $55M in payroll diversion BEC losses, average loss $8,000+

Business Email Compromise (BEC) in which an attacker impersonates an employee — typically via a lookalike or compromised email address — to email HR or payroll staff requesting that the employee's direct-deposit bank account be changed to a new routing and account number. The attacker's mule account receives the next paycheck; victims typically do not discover the theft until payday. Key facts: (1) FBI IC3 2024: payroll diversion BEC caused $55M in reported losses with an average loss of $8,000+ per incident — among the highest per-victim BEC loss categories; (2) Payroll BEC is particularly insidious because it targets HR generalists rather than finance executives — the social engineering is simpler ("employee requesting account update") and the process is routine, reducing suspicion; (3) Legitimate payroll account changes should always require in-person or phone verification using a number from the employee's HR file, a manager co-approval, and a waiting period before the new account is activated — any payroll system allowing email-only changes is misconfigured; (4) Attack timing: requests typically arrive early in the week before a Friday pay run or just after a new employee onboards, when a "first direct-deposit setup" is plausible. Warning signs: email from a domain that isn't the company's standard domain, urgent language about the next pay period, routing and account number included in the body, no supporting documentation, no request to verify by calling the employee back.