Payroll Change via Compromised HR Email — How to Identify & Stay Safe

INDIA — By BharatSecure Threat Intelligence Team · Updated May 28, 2026

Severity: HIGH | View Full Scam Details

Payroll Change Scam via Compromised HR Email in India 2026: What You Must Know

A new high-risk phishing scam targets India’s HR departments by hijacking email accounts to reroute payroll payments and steal salaries.

What Is the Payroll Change via Compromised HR Email?

The "Payroll Change via Compromised HR Email" scam is an emerging cyber threat where fraudsters gain control of an organisation’s HR email account to manipulate salary disbursal instructions. This scam mainly targets companies and institutions with digital payroll systems linked to emails for salary processing.

In India’s multi-corporate and digitally connected environment, HR email accounts often serve as critical authorization points for payroll changes. Attackers exploit this by phishing HR personnel to steal login credentials or using weak password practices. Once inside, they alter bank account details associated with employee salaries. The scam can affect organisations across sectors including IT, manufacturing, and government bodies.

CERT-In (Indian Computer Emergency Response Team) has flagged phishing as a leading vector in workplace cyber fraud. Similarly, the Indian Cyber Crime Coordination Centre (I4C) has issued advisories urging organisations to protect HR email systems and monitor payroll processes closely. The Reserve Bank of India (RBI) also highlights the risk to digital payment frameworks like UPI when payroll accounts are manipulated.

How This Scam Works — Step by Step

1. Reconnaissance & Phishing: Fraudsters send deceptive emails to HR employees claiming to be from internal IT helpdesk or payroll departments. These emails contain links to fake login pages mimicking corporate email portals to steal credentials.

2. Account Compromise: The attacker gains access to an HR email account, often due to password reuse or weak passwords without two-factor authentication (2FA).

3. Monitoring Payroll Communication: Once inside, the scammer combs through email threads related to salary revisions, bank account updates, and employee payroll changes to gather details.

4. Initiating Payroll Change Requests: The fraudster sends seemingly legitimate emails from the compromised HR account to the finance or payroll department requesting bank account updates for salary payments.

5. Changing Account Details: Payroll teams, trusting the HR email, update employee salary deposit bank details to those controlled by the attackers.

6. Salary Diversion: Employee salaries are transferred to fraudulent accounts via UPI or NEFT/RTGS, typically during payroll cycles.

7. Covering Tracks and Cashing Out: The scammer quickly withdraws or transfers funds before suspicions arise. Victims notice salary credits missing only after payday.

Real Warning Signs to Watch For

• Unusual email requests for bank detail updates from HR that bypass normal verification steps.
• Emails with urgent or pressurized language demanding immediate action on payroll changes.
• Login prompts linking to unofficial or misspelled URLs supposedly for HR email access.
• Failure of HR personnel to receive expected verification OTPs during email login attempts.
• Payroll changes made outside usual cycles or without multiple approvals.
• Inconsistencies in email sender addresses even if the display name looks correct.
• Employees complaining their salary was delayed or credited to unknown bank accounts.

What Happens to Victims

Employees affected by this scam can suffer financial loss when their salary is diverted to fraudulent accounts. Unlike typical UPI payment fraud, reversing payroll transfers is difficult because accounts are formally updated in internal records. This creates delays and complications for victims trying to recover lost funds.

Victims often face emotional stress, as salary is critical for daily expenses in India. Misuse of Aadhaar-linked bank accounts or SIM swaps can worsen the recovery process, making communication and authentication harder. Impacted companies may face trust issues among their workforce and incur administrative overhead to resolve payroll discrepancies.

What RBI and CERT-In Say

The RBI has consistently warned about phishing and social engineering attacks targeting banking credentials and payment systems such as UPI and NEFT. Its cybersecurity framework mandates multi-factor authentication and email security best practices for financial transactions.

CERT-In identifies phishing emails as a major cause of account compromise and urges organisations to educate employees about clicking links in emails and verifying senders beyond display names.

The 1930 cybercrime helpline run by the Ministry of Home Affairs encourages victims of payroll fraud and email compromise to report incidents promptly. The Indian Cyber Crime Coordination Centre (I4C) recommends businesses implement email security protocols and monitor payroll channels closely to detect anomalies early.

How to Protect Yourself

1. Enable Two-Factor Authentication (2FA) on all corporate email accounts, especially for HR and finance teams.
2. Never share login credentials via email or unsecured links.
3. Verify email senders carefully — inspect full email addresses, not just display names.
4. Authenticate payroll change requests through verbal or in-person confirmation, not just emails.
5. Use strong, unique passwords for work accounts and avoid reuse across platforms.
6. Regularly audit payroll and bank account details for unusual changes or multiple approvals missing.
7. Educate employees on phishing awareness, including recognizing fake login pages and suspicious emails.

What to Do If You've Been Targeted

• Immediately inform your organisation’s IT and payroll department about the suspected email compromise.
• Change all associated email and system passwords and enable 2FA.
• Contact your bank to report unauthorized changes and request a freeze or block on affected accounts.
• File a complaint on the national cybercrime portal at cybercrime.gov.in detailing the incident and compromised accounts.
• Call the government’s 1930 cybercrime helpline to report the fraud and get guidance on next steps.
• Keep a record of all suspicious emails, bank statements, and communications with your employer and banks.

Frequently Asked Questions

Q1: Can salary payments made via UPI be reversed if payroll details are changed fraudulently?
In most cases, salary payments made through UPI after a fraudulent update of bank accounts are difficult to reverse quickly. While banks may attempt recovery, if funds are withdrawn by fraudsters, the process can be lengthy and uncertain.

Q2: How can HR employees identify phishing emails trying to steal their email account credentials?
Phishing emails often contain urgent language, generic greetings, suspicious URLs, or requests to enter credentials on unofficial websites. Verifying links by hovering over them and contacting internal IT teams before responding helps identify such emails.

Q3: Is there any government helpline or portal to report this specific type of payroll email fraud?
Yes, victims can report to the Ministry of Home Affairs’ cybercrime helpline at 1930 and file complaints on the Indian Cyber Crime Coordination Centre’s website at cybercrime.gov.in for prompt action.

For any suspicious payroll or HR-related messages, always verify on BharatSecure.app. If you suspect fraud, report it immediately to cybercrime authorities at 1930.

Disclaimer: This article describes a pattern of fraud reported in public sources for public-safety awareness. It is not legal, financial, or medical advice. To request correction or removal of any content, write to hello@bharatsecure.app.