Staying safe from the latest HR and payroll scams in 2025 in summary:
In this blog, Cezanne’s own Compliance Manager Sarah Griffiths, gives some excellent tips on how to avoid increasingly sophisticated HR and payroll scams.
- Phishing and payroll diversion scams are on the rise, with fraudsters using increasingly sophisticated tactics – like AI-generated emails and fake identities – to trick HR teams into handing over sensitive data.
- Practical steps like staff training, secure data sharing, and verification protocols are essential to prevent scams and protect both employee information and company funds.
- Using a secure HR system like Cezanne reduces risk, with features like encryption, internal monitoring, and self-service tools that keep sensitive processes out of inboxes and in safe hands.
Remote work isn’t going anywhere – and neither are the cybercriminals trying to exploit it.
Since the shift to hybrid and remote working, phishing scams and payroll fraud targeting HR teams have exploded. From spoofed bank change requests to fake emails from ‘senior leaders’, these attacks are getting more sophisticated, and more convincing.
As HR and payroll professionals juggle policies, wellbeing, onboarding, and compliance, scammers are counting on people being too busy to double-check the finer details. But a moment’s distraction can lead to serious financial and reputational damage – and HR teams should always be on alert.
Payroll fraud is on the rise
Fraudsters now employ sophisticated social engineering tactics to impersonate employees or managers, requesting HR to change bank details, transfer funds or share personal information. Unfortunately, the rise of AI-generated emails and deepfakes makes these scams increasingly difficult to detect.
Most notably, payroll diversion scams – where attackers trick HR into redirecting salary payments to fraudulent bank accounts – have surged by 22% this year, particularly impacting sectors like education and healthcare. These exploded onto the scene during the early days of COVID-19 lockdowns as many companies were getting to grips with remote working for the first time.
However, despite the world of work adapting to remote and hybrid environments, the cyber criminals have simply adapted their tactics accordingly. This type of fraud is commonly known as ‘phishing’, and sadly, it’s increasingly commonplace – with over 3.4 billion phishing emails being sent per day!
What is phishing, and how does it work?
Phishing is when someone tries to trick you – usually by email – into clicking on a dodgy link or handing over sensitive info. The emails often look legit: they might mimic your outsourced payroll provider, an employee, or even your CEO. But their goal is simple – gain access to money or data.
However, these types of scams aren’t just limited to emails. They can also show up in text or WhatsApp messages (aka smishing), phone calls (vishing), or even fake websites that look like official portals. With AI-generated content and spoofed caller IDs in the mix (even mimicking company employees), these scams are getting harder to spot, and easier to fall for.
That’s why it’s critical to build a culture of caution in your business and your workforce. If something feels off, slow down, double-check, question it, and don’t click until you’re absolutely sure.
How to protect your HR team (and business) from scams
Here are five practical ways to keep your HR department out of harm’s way:
1. Stay aware (and keep training)
Make sure everyone handling sensitive data understands the risks. GDPR breaches – accidental or not – can lead to big fines and serious reputational fallout. This isn’t just something that happens to huge multi-national corporations, either. In fact, small and mid-sized businesses are often targeted precisely because they’re seen as having weaker defences. A single slip-up can be costly – both financially and in terms of trust.
If you haven’t rolled out cybersecurity training for your team, now’s the time to act. Not sure where to start? The UK’s National Cyber Security Centre has a wealth of free online resources worth checking out.2
2. Don’t take emails at face value
Phishing emails are often designed to create urgency: “update this” or “send that” RIGHT NOW! They play on pressure and panic – making you act before you think. It’s a classic tactic: the more rushed you feel, the less likely you are to double-check the sender or question the request. That’s why it’s so important to slow down, stay sceptical, and verify anything that feels even slightly off.
Always check the sender’s address carefully, and the format of the email. If something looks or feels off (like wanting to contact them on WhatsApp on a private number… a big red flag!), call, message, or independently verify before acting.
Never click “reply” to a suspicious email and don’t open any links or attachments unless you’re 100% sure.
3. Report it immediately
Think you’ve been phished? Don’t keep it to yourself. Raise the alarm right away! Let IT know so they can block domains, scan for other threats, and lock things down if needed. Also flag it to senior leaders, payroll providers, or any external partners that could be targeted next.
4. Share data the smart way
Avoid emailing spreadsheets or files containing sensitive information. Even with passwords, they’re easily compromised. Use encrypted file transfer tools or, better yet, a secure HR platform with built-in access controls and audit trails. Treat your device like your wallet – don’t leave sensitive info lying around, and always lock it up when you’re out and about.
Also, always connect to secure, trusted Wi-Fi networks. Public hotspots, like the free Wi-Fi at your local Costa, might be tempting when you’re working on the move, but they often lack proper security protocols and may be crawling with cybercriminals waiting to pounce on unsuspecting devices.
5. Understand that payroll isn’t the only target for fraudsters
It’s not just payroll that scammers, fraudsters and con artists have their eye on. Recruitment is another key area where HR teams need to stay sharp. From fake job applications loaded with malware, to fraudsters posing as legitimate candidates – or even employers – recruitment scams are becoming more common, and more convincing.
Being hyper-vigilant during your hiring process isn’t just good practice: it’s essential for protecting your systems, your data, and your reputation. So, take practical steps like verifying candidate identities before interviews, using secure recruitment software platforms, and avoiding the temptation to download CVs or attachments from unknown sources.
Make sure everyone involved in hiring knows how to spot red flags – like inconsistencies in application details, unusual file types, or pressure to fast-track the process. A few simple checks can save you from a massive headache later.
6. Use a secure HR system (like Cezanne!)
One of the easiest ways to avoid falling victim to an HR scam is to remove email and dated paper-based processes from the equation altogether.
With a secure, cloud-based HR platform like Cezanne, you can manage bank details, personal info and payroll data all in one place – with encryption, role-based access, and ISO27001 certification baked in. From day one, the Cezanne HR system has been built with data security as a top priority.
The technology stack and application architecture were purpose-built to support a SaaS, multi-tenant environment that handles personal data. Core principles – confidentiality, integrity, and availability – are embedded at the heart of the system’s design. And, with its integrated payroll software, you can ensure employee data flows seamlessly and securely between HR and payroll, reducing manual input and minimising the risk of errors or fraud.
It also means fewer emails flying around with sensitive attachments – and a lot more confidence that your data is in safe hands.
Self-service features – like biometric security on mobile devices – let employees securely update their own records. You can also grant external providers limited access to just the data they need, helping reduce risk and keep your information up to date. Interested to know more about how Cezanne’s HRIS platform helps protect your employee data? Read more here.
Preventing scams is everyone’s responsibility
Cyber threats aren’t just an issue for IT to deal with – they’re a people issue. From payroll to recruitment, HR sits at the heart of sensitive processes that scammers love to exploit. That’s why it’s vital for everyone in your organisation to stay informed, alert, and equipped with the right tools and training.
By fostering a culture of awareness and using secure HR systems like Cezanne’s, you’re not just protecting data: you’re protecting your people, your reputation, and your bottom line. Stay smart, stay safe, and make security part of your everyday routine.
About the author
Sarah Griffiths is Cezanne’s Compliance Manager. She has over fifteen years of IT and Technology industry experience; including working on a range of compliance standards such as ISO9001, ISO14001 & ISO27001.
She has excellent knowledge and experience of compliance issues, auditing and risk management. Sarah helps clients meet their regulatory compliance and information security goals as they implement Cezanne’s HR solution. She also leads the ongoing development and maintenance of our ISO 27001 accreditation.
