SmishAlert

Attack type

Payroll fraud, before the deposit redirects.

Direct-deposit changes, benefits redirects, and W-2 lures targeting your HR and payroll teams — the highest-loss-per-incident social engineering attack we track.

Measure your exposure to payroll fraud in 30 daysSee the platform

What we see in the wild

The patterns landing on your employees’ phones.

“I need to update my direct deposit before Friday’s run” — sent to payroll from a spoofed employee number

Coordinated waves around pay-cycle dates and open enrollment windows

PEO and payroll-provider impersonation of HR admins

WhatsApp follow-up after an SMS to add legitimacy

Why traditional tools miss it

Payroll teams operate over a mix of channels that nobody centrally logs. By the time finance reconciles the missing paycheck, the attacker has cashed out and rotated infrastructure.

How SmishAlert surfaces it

Captures direct-deposit-change patterns in the moment, correlates against your HR team’s reporting fingerprints, and routes findings to your SOC and to your payroll vendor for action.

30-day pilot · sample

What this looks like in a 30-day window.

38
Direct-deposit redirect attempts
6
Payroll/HR staff targeted
2
Coordinated pay-cycle waves

Concentrated around pay-cycle dates in a 30-day window.

Go deeper

Related

Use caseDefend HR & financeProtect the highest-fraud-risk teamsLearn more
Exposure pilotThe 30-day exposure pilotPut a defensible number on this exposure.Learn more
Answer centerMore answers for security leadersPlain-English answers to the questions CISOs ask.Learn more

FAQ

Questions security leaders ask

How do I stop direct-deposit change fraud targeting payroll?

Direct-deposit fraud arrives as messages to payroll and HR staff, outside any channel your SOC logs. SmishAlert captures the direct-deposit-change pattern in the moment it’s reported, correlates it across your team, and routes findings to your SOC and payroll vendor before the deposit changes.

Why is payroll fraud so hard to catch with existing tools?

Payroll teams work across SMS, chat, and phone — channels nobody centrally logs. By the time finance reconciles a missing paycheck, the attacker has cashed out. SmishAlert gives payroll and HR a one-tap way to report, and gives security the correlated record.

When do payroll fraud campaigns spike?

We see coordinated waves around pay-cycle dates, open enrollment, and W-2 season. A SmishAlert 30-day exposure pilot timed to a pay cycle surfaces these waves as named campaigns rather than isolated reports.

What does a payroll-fraud exposure pilot include?

Deploy SmishAlert to your payroll, HR, and finance teams for 30 days. You receive a finance-specific executive report quantifying direct-deposit redirect attempts, staff targeted, and any coordinated waves.

Measure it

See it running against your workforce.

A 30-minute scoping call. A 30-day pilot. A report your CEO will read.

Measure your exposure to payroll fraud in 30 daysTalk to the team

Or take the 2-minute self-evaluation — no email required.