Salary Redirection Payroll BEC Scam

How Salary Redirection Payroll BEC Scam Works

Overview: The Salary Redirection Payroll BEC (Business Email Compromise) scam is a sophisticated fraud where cybercriminals pose as genuine employees and trick company HR or payroll staff into diverting salary payments to fraudulent accounts. This scam primarily targets payroll teams in Indian IT, BPO, SME exporters, and pharmaceutical firms. It is dangerous because the fraudsters use convincing spoofed emails, often appearing to come from a real employee, and exploit India’s reliance on digital payments and decentralized HR systems. Employees may not realize they are victims until their monthly salary fails to arrive. How It Works: 1. Fraudsters research company staff and note upcoming salary days. 2. They send a carefully-crafted email—sometimes using generative AI tools—to imitate an employee, often citing reasons like "my bank account is frozen" or "I have switched banks." 3. The email includes new account details, typically linked to a mule UPI ID or a hacked bank account. 4. Payroll staff, especially in remote or decentralized offices, process the change based on the email request. 5. Company funds are transferred into the fraudster-controlled account; the money is quickly withdrawn or moved before detection. 6. The real employee only discovers the fraud when their missing salary comes to light. India Angle: In India, this scam thrives due to fast-growing UPI payroll channels, lack of strong email authentication (SPF/DKIM/DMARC), and remote working cultures. It is most common in IT, BPO, export, and pharma companies—often in metro cities like Bengaluru, Hyderabad, and Mumbai—where pay and HR processes are handled at scale. Both junior and senior staff are impersonated. Emails, WhatsApp follow-ups, and sometimes SMS are used, mainly in English and Hindi. Real Examples: - "Hi Sir, my account has been locked unexpectedly. Kindly update my salary credit to the attached new bank account for this month. Regards, Ramesh." - HR receives an email appearing to be from a staff member, "This is urgent as I have ongoing EMIs. Please confirm when updated." Red Flags: - An unexpected email from an employee requesting a last-minute change in bank details. - Messages citing account freezes, urgent financial problems, or system errors close to payday. - Requests sent outside of normal working hours. - Subtle differences in email address [ADDRESS_REDACTED]. - No verbal or official follow-up from the employee on other channels. Protective Measures: - Always verify bank change requests directly with the employee by phone, video call, or in person before making updates. - Enable and monitor SPF/DKIM/DMARC for your business email system to detect spoofed mails. - Implement a policy where salary account changes require dual approval and cannot be processed solely via email. - Educate HR and payroll teams to watch for last-minute or urgent requests. If Victimised: - Immediately notify your company’s finance and IT security teams. - Report the incident to the National Cybercrime Helpline (1930) and on cybercrime.gov.in. - If funds have already been remitted, inform your bank and the RBI for swift action to freeze accounts. Related Scams: - Vendor Email Compromise (suppliers impersonated for invoice fraud) - CEO Fraud (executive impersonation for fund transfers) - Task/Work-From-Home scams (fake employer payroll requests)

How This Scam Works — Detailed Explanation

The Salary Redirection Payroll BEC scam begins with cybercriminals researching companies, specifically targeting sectors such as IT, BPO, SME exporters, and pharmaceuticals in India. They gather information from online job portals, social media sites like LinkedIn, or even through breaching company databases, identifying key employees in HR or payroll departments. Once armed with this information, scammers create a spoofed email address that closely resembles that of the real employee or even a member of the company's finance team. With compelling details in hand, they approach the HR or payroll staff, manipulating the situation to seem genuine.

To execute the scam, these fraudsters employ psychological tactics that capitalize on urgency and fear. For instance, they may send an email claiming that their salary account has been frozen or closed, forcing immediate action to re-route salaries to another account. The urgency is heightened by carefully worded messages, including statements like “please act quickly; I’ll be unavailable for the rest of the day” to prevent verification through traditional communication channels. Often, these emails will contain elements that mimic previous communications, further convincing recipients of their authenticity. This manipulation ensures that the payroll department feels a sense of duty to honor the request without verifying its legitimacy.

Once the scam is executed, the victim—typically the HR or payroll personnel—follows the instructions provided in the fraudulent email. They spend their time changing bank account details within their payroll systems, believing they are helping a legitimate employee. After changing the account to a fraudulent one, payments meant for the employee are instead diverted to the scammers. For example, if an employee's salary of ₹50,000 is redirected, the victim will likely not realize they’ve been scammed until the actual employee raises questions about their pay. Even then, it may take days before the impacts are noticed, escalating the damage.

The scale of this scam is alarming, as evidenced in 2022, when reports indicated that ₹1,500 crore were lost nationwide in business email compromise scams alone. Authorities like the Ministry of Home Affairs (MHA) and the Reserve Bank of India (RBI) have raised alarms about the rising incidents of such cybercrimes. The Indian Cyber Crime Coordination Centre (I4C) has listed this scam under critical threats, emphasizing the need for immediate action and awareness. Victims are often left grappling with financial loss, emotional distress, and even damage to their reputations, particularly in small and medium enterprises reliant on trust-based relationships.

To spot this scam, employees should be wary of last-minute requests for changes to bank account details, especially when they come without direct in-person verification or official calls. Legitimate requests typically allow for time to validate claims. It’s crucial for employees to scrutinize sender email addresses for tiny discrepancies and remain alert to unusual sending times, like off-hours. If a communication seems urgently unexpected and lacks corroboration, it warrants caution, signaling that verification through secure channels should take precedence over compliance with the email request.

Visual Intelligence:

BharatSecure's AI has identified this as a used in scams targeting Indian users.

Who Does Salary Redirection Payroll BEC Scam Target?

General public across India

Red Flags — How to Identify Salary Redirection Payroll BEC Scam

• Last-minute email request to change salary bank account
• Cited reasons like 'frozen' or 'closed' account
• No in-person or official call verification
• Unusual sender email or odd timing (off-hours)
• High urgency pushed by supposed employee

What To Do If You Encounter Salary Redirection Payroll BEC Scam

1. Report any suspicious emails to the cybercrime helpline 1930 or visit cybercrime.gov.in.
2. Verify any bank account changes with the employee through official communication methods.
3. Contact your bank immediately if you suspect funds have been diverted — SBI at 1800-11-1109, HDFC at 1800-202-6161.
4. Educate colleagues and employees about this scam to create a more aware workforce.
5. Set up a double-verification policy for any changes in payroll or bank details.
6. Regularly review and audit payroll processes to identify any irregularities.

How to Report Salary Redirection Payroll BEC Scam in India

• Call 1930 — National Cyber Crime Helpline (24x7)
• File a complaint at cybercrime.gov.in
• Contact your bank immediately if money was lost
• Call RBI helpline: 14440 for banking fraud

Frequently Asked Questions

What should I do if I inadvertently changed salary details due to a scam?

Immediately contact your bank to secure your account and reach out to 1930 for guidance on reporting the incident.

How can I identify spoofed emails in the Salary Redirection Payroll BEC scam?

Look for unusual sender addresses, spelling errors, and requests for urgent action without verification steps. Always confirm via other communication means.

How can I report the Salary Redirection Payroll BEC scam in India?

You can report this type of scam by calling 1930 or visiting cybercrime.gov.in. It's also advisable to notify your bank about any suspicious transactions.

What recovery options do I have after falling victim to this scam?

Contact your bank immediately for potential recovery options, report the incident to 1930, and keep all documentation to assist law enforcement in any investigations.

Verify Any Suspicious Message

Check any suspicious message, link, or call for free at bharatsecure.app. BharatSecure uses AI to detect scams in real-time and protect Indian users.