Fake payroll direct deposit change BEC scam — attacker impersonates a CEO, CFO, or HR employee and asks a payroll processor to redirect salary to a fraudster-controlled bank account before the next payroll run; email contains new routing number and account number with urgency framing

Business Email Compromise (BEC) variant where an attacker impersonates a CEO, CFO, executive, or HR representative and instructs a payroll processor or HR administrator to update an employee's direct deposit bank account — redirecting the next paycheck to a fraudster-controlled account. The email typically includes the new routing number and account number directly in the message body along with urgency framing ("before end of day," "before Friday's payroll run," "effective immediately"). The FBI IC3 2023 Annual Report attributed $446 million in losses to payroll diversion BEC specifically, with an average loss of $175,000 per incident. Key facts: (1) Legitimate HR systems (ADP, Workday, Paychex, Paylocity) never accept direct deposit changes submitted by email — all changes require authenticated portal login with MFA; (2) Bank account and routing numbers in an email body are a near-certain indicator of fraud — legitimate direct deposit change forms are submitted through secure internal systems; (3) Attackers commonly use lookalike domains (acme-corp.com vs acme.com), compromised internal accounts, or display-name spoofing to appear credible; (4) Real executives almost never email payroll directly — they use formal HR request processes. Warning signs: routing/account numbers in email body, urgency before next payroll, email from external or lookalike domain, executive bypassing normal HR channels.