TLDR
Attacker emails HR/payroll from a lookalike of employee's address (john.smith@gmaiI.com with capital I instead of l), requesting a direct deposit change to a different bank, often a neobank or prepaid card (Chime / Green Dot / Netspend)....
How it works
Attacker emails HR/payroll from a lookalike of employee's address (john.smith@gmaiI.com with capital I instead of l), requesting a direct deposit change to a different bank, often a neobank or prepaid card (Chime / Green Dot / Netspend)....
Red flags
- Urgent pressure to click, pay, or share codes immediately.
- A link or sender that does not match the official organization.
- Requests for card data, passwords, OTPs, wallet signatures, or bank transfers.
What to do
- 1Indicators: request via email only, never via HR portal, new bank in different state, mid month or just before payday.
- 2IF VICTIM EMPLOYEE: payroll usually reissues from company account; report ic3.gov; bank for ACH return within 5 business days.
Source
FTC
Source reviewed by Mythos Forensic Team
https://consumer.ftc.gov/articles/how-spot-avoid-and-report-tech-support-scamsFAQ
Is Payroll diversion — fake HR direct deposit change a real scam pattern?
Yes. Treat the message, call, or payment request as suspicious until you verify it through an official channel.
What are the first warning signs?
Urgent pressure to click, pay, or share codes immediately.; A link or sender that does not match the official organization.; Requests for card data, passwords, OTPs, wallet signatures, or bank transfers.
What should I do first?
Indicators: request via email only, never via HR portal, new bank in different state, mid month or just before payday.; IF VICTIM EMPLOYEE: payroll usually reissues from company account; report ic3.gov; bank for ACH return within 5 business days.
Can LegalAudit check my case?
Yes. Start a free chat and paste the message, link, sender, or payment details for triage.