One redirected paycheck is all it takes. A scammer phishes an employee’s login credentials, slips into the company’s self-service payroll portal, swaps the direct-deposit routing number, and collects the next check before anyone notices. Rent bounces, the auto-loan draft fails, and late fees start piling up while the bank investigates. The FBI has warned about this exact scheme, and the bureau’s Internet Crime Complaint Center logged more than $2.9 billion in business email compromise losses in 2023 alone, a category that increasingly includes payroll diversion.
There is a surprisingly simple structural defense most workers never consider: route every paycheck into a secondary “buffer” checking account, then sweep the money to your primary bill-paying account on your own schedule. If a criminal hijacks one deposit, the account that actually covers your mortgage, utilities, and insurance stays funded.
How payroll diversion fraud actually works
The FBI has published a public service announcement (still active as of mid-2026) detailing how attackers clone employee self-service websites to harvest usernames and passwords. The spoofed portals typically reach workers through phishing emails or text messages that look like they came from HR or a payroll provider such as ADP or Workday. Once inside, the attacker changes the direct-deposit destination so future paychecks, HSA contributions, and even retirement payments flow to an account the employee never opened.
The IC3 reinforced that warning in a 2018 advisory on business email compromise. While the advisory focuses on BEC broadly rather than payroll diversion alone, it notes that criminals target payroll data, including W-2 records and deposit routing details, as one component of larger BEC campaigns. The advisory urged both employers and employees to verify any bank-information change before it takes effect.
The tactic is not new. As far back as 2010, CISA, the Secret Service, the FBI, and the Financial Services Information Sharing and Analysis Center jointly released a corporate account-takeover advisory pushing businesses and banks to harden authentication. FinCEN followed in 2011 with Advisory FIN-2011-A016, directing financial institutions to watch for sudden changes in user profiles and file Suspicious Activity Reports when warranted. Payroll diversion is a modern twist on the same playbook: steal credentials, then redirect money. What has changed is scale. Many employers now let workers update banking details online without a phone call or in-person visit, which means a single convincing fake login page is often the only barrier between a criminal and someone’s next paycheck.
Federal rules cap your losses, but not the chaos in between
Regulation E, the federal rule governing electronic fund transfers, does offer real protection after the fact. Under 12 CFR 1005.6, a consumer’s liability for an unauthorized transfer can be as low as zero when the fraud is reported promptly. And under 12 CFR 1005.11, a financial institution generally must investigate a reported error and, in many cases, provisionally credit the consumer’s account within ten business days.
Ten business days sounds manageable until you map it onto a calendar. Factor in weekends and a holiday or two, and that window can stretch past two weeks. For accounts open fewer than 30 days, or for certain transaction types such as point-of-sale or foreign-initiated transfers, the institution may take up to 45 calendar days before a provisional credit is required. During that gap, automatic bill payments tied to the compromised account can fail one after another. Late fees, overdraft charges, and negative marks on a credit report can all cascade from a single missing paycheck, even if the bank ultimately restores every dollar.
The Consumer Financial Protection Bureau has published guidance clarifying that institutions must treat an unauthorized electronic transfer as an error whether it involves a stolen debit card or compromised online credentials. The CFPB also advises consumers to report suspected fraud immediately and keep written records of every communication with their bank. Still, the strongest position is to keep essential bill money out of the blast radius altogether.
Note that Regulation E governs the relationship between the consumer and the financial institution. Whether an employer bears separate liability for failing to secure its payroll portal or for processing a fraudulent routing change without verification is a question that depends on the specific facts, the employment agreement, and potentially state law. Federal wage-and-hour rules generally require that employees receive the pay they earned, but the legal path to holding an employer accountable for a third-party diversion is not straightforward. If your employer’s portal was the entry point, document everything and consult an employment attorney if the bank recovery process stalls.
How a buffer checking account limits the damage
The setup takes about 15 minutes. Open a low-fee or no-fee checking account, either at your current bank or a different institution, and designate it as the sole destination for your employer’s direct deposit. Your mortgage, utilities, car payment, insurance, and every other recurring debit stays linked to your original primary account. After each payday, you transfer what you need from the buffer to the bill-paying account and leave only a small residual balance behind.
Because the employer portal only ever stores the buffer account’s routing and account numbers, a successful credential theft diverts funds away from the account that actually runs your household. Your automatic payments keep clearing. Your landlord or mortgage servicer never sees a returned payment. You still need to recover the stolen deposit, but you are doing it from a position of stability rather than crisis.
This structure does not prevent payroll diversion, and it does not change a bank’s obligations under Regulation E. What it buys you is time. While you and your financial institution work through the investigation, the primary account keeps operating normally as long as it holds enough to cover near-term bills. For households living paycheck to paycheck, even one cycle’s worth of breathing room can be the difference between a stressful inconvenience and a spiral of bounced payments and penalty fees.
One thing to watch: keep the buffer account’s debit card locked or, better yet, decline one at account opening. The buffer exists to receive and forward money, not to make purchases. A debit card tied to it just creates another attack surface.
Practical questions before you set it up
Most banks and credit unions let customers open a second checking account with minimal friction, often through the same online banking portal you already use. Look for an account with no monthly maintenance fee, or one that waives the fee with any direct deposit, since the payroll deposit itself will satisfy that requirement. Internal transfers between accounts at the same bank are typically instant and free. If you open the buffer at a different institution, expect standard ACH transfers to take one to two business days; plan your sweep timing accordingly so bills do not hit before the money arrives.
Avoid using Zelle or other instant-transfer services to move money out of the buffer. Zelle payments are designed for person-to-person transfers and are generally irrevocable once sent. If a scammer somehow gains access to the buffer account and initiates a Zelle transfer, recovery options are extremely limited compared with a standard ACH dispute under Regulation E. Stick to internal bank transfers or scheduled ACH sweeps for moving money from the buffer to your primary account.
If your employer’s payroll system limits you to a single direct-deposit destination, the buffer account simply becomes that one destination, and you sweep from there. Some workers prefer to split deposits at the payroll level, sending a fixed amount to the bill-paying account and the remainder to a secondary account. That approach has its own merits for budgeting, but it partially defeats the buffer strategy because the employer portal then stores routing details for both accounts. If the goal is to keep the bill-paying account’s information off the portal entirely, a single-destination deposit into the buffer is cleaner.
Gig workers and independent contractors paid through platforms like Gusto, Square Payroll, or direct ACH face a slightly different setup process, but the principle holds: the platform only needs to know about the buffer account, and you move money to your primary account on your own terms.
What to do if a deposit disappears
Even with a buffer in place, you need a plan for the moment you notice a paycheck did not land. First, contact your employer’s payroll or HR department immediately; they can confirm where the deposit was sent and, in some cases, initiate a recall through their bank. Second, file a complaint with your financial institution under Regulation E so the investigation clock starts. Third, report the incident to the FBI’s IC3 at ic3.gov and to the FTC at IdentityTheft.gov. Keep copies of every email, chat transcript, and confirmation number. The paper trail matters if the investigation drags past the provisional-credit window.
Layer the buffer with basic security habits
No account structure substitutes for the fundamentals. Navigate directly to your employer’s portal using a saved bookmark rather than clicking a link in an email or text that claims to come from HR. Enable multifactor authentication wherever it is available. Use a unique, complex password for every payroll and banking login, stored in a reputable password manager such as 1Password or Bitwarden. Review every pay stub and bank statement promptly so you catch discrepancies before a second pay cycle passes.
Employers carry responsibility here too. Adding out-of-band verification for deposit changes, such as a confirmation call or a code sent to a previously registered phone number, makes it far harder for an attacker who only has portal credentials to complete the reroute. Monitoring for unusual login locations or times and running regular phishing-awareness training further reduce the odds that an employee’s credentials end up on a spoofed site.
Why one extra account changes the math on payroll fraud
Combined with Regulation E protections and sound security habits, a buffer-account structure turns payroll diversion from a potentially devastating surprise into a contained, recoverable event. A scammer may grab one paycheck. Your bills keep getting paid while you get it back.
