How Payroll Diversion via Voice Cloning Works
Payroll diversion is not a new fraud category — criminals have been attempting it by email for years. What voice cloning adds is the most convincing possible authentication: the employee's own voice. The attack follows a consistent pattern:
Criminal identifies the target employee
The attacker selects an employee — typically someone mid-to-senior level whose paycheck is worth diverting. LinkedIn, company directories, and social media provide names, titles, and often phone numbers. For executive impersonation attacks, the target is the CEO, CFO, or another officer whose voice can be sourced from public recordings.
Criminal clones the employee's or executive's voice
For executive impersonation, audio is sourced from publicly available recordings — all-hands meetings, conference appearances, company videos, earnings calls. For employee impersonation, audio may be sourced from company videos, internal meeting recordings leaked or shared, or social media. As little as 3 seconds of clean audio is sufficient for a convincing real-time clone.
Criminal calls HR and requests a direct deposit change
The attacker calls the HR department or payroll team, using the cloned voice and spoofing the employee's actual phone number. The request is simple: "I just opened a new bank account and need to update my direct deposit before the next payroll run." The scenario is completely routine — HR processes direct deposit changes regularly. The voice sounds exactly like the employee. The number matches their file.
HR processes the change
The HR or payroll staff member, hearing a familiar-sounding voice and receiving what appears to be a routine employee request, updates the direct deposit information in the payroll system. The change shows no red flags — it is a standard account update with a legitimate-seeming bank routing and account number.
Paycheck deposits to fraudulent account
On the next payroll run, the employee's payment processes normally through all internal systems and deposits to the fraudulent account. The fraud is not discovered until the employee reports a missing paycheck — often days after the payroll run. By that point, the funds have typically been withdrawn or transferred out of the receiving account.
Attack Variations Beyond Basic Payroll Diversion
Executive Impersonation for Off-Cycle Payroll
A criminal clones a CEO or CFO's voice and calls the payroll director or HR leader directly. The request is for an off-cycle payroll run — a "confidential retention bonus" for a key employee, an "emergency payment" that must clear before end of month, or an "advance" on a future payroll cycle. For organizations that outsource payroll to an external firm, these attacks are often routed through the accounting or CPA firm managing the payroll relationship instead. The executive instructs the payroll team to process the payment quickly and to keep it confidential until it clears. Both instructions prevent verification: the urgency bypasses the standard approval process, and the confidentiality instruction prevents the payroll team from consulting colleagues.
Vendor and Benefits Provider Impersonation
A criminal poses as a representative from a benefits provider — a 401(k) administrator, health insurance carrier, or FSA vendor — and calls the HR or benefits coordinator claiming a "banking update" is needed to process employer contributions or employee premium payments. The HR coordinator, accustomed to interactions with benefit vendors, provides updated ACH information or authorizes a redirect of employer benefit payment flows to a fraudulent account.
New Hire Fraud via Voice Cloning
A criminal applies for a position with a fabricated identity, successfully navigates the hiring process, and is onboarded as a new employee. Then, using voice cloning to impersonate a hiring manager or HR director, the criminal calls the payroll setup team and provides fraudulent banking information for their own "new hire" payroll account — or modifies a legitimate new hire's onboarding information to redirect their first paycheck. This attack is particularly sophisticated and indicates a high level of pre-attack reconnaissance.
Voice-Based Employee Data Extraction
Not all voice-based HR attacks target payroll directly. A criminal posing as an executive or HR colleague can call HR staff and request sensitive employee data — Social Security numbers, salary information, benefits elections, emergency contacts — under the pretext of a legitimate business need. This data is then used for identity theft, tax fraud (fraudulent W-2 filings), or to build more convincing pretexts for subsequent financial attacks against specific employees.
Why HR Is Structurally Vulnerable
HR departments have a professional culture of responsiveness and service. Staff are hired and trained to help employees navigate their relationship with the organization — benefits questions, payroll issues, policy concerns. This service orientation is exactly what makes the department effective, and exactly what voice clone attackers exploit.
Remote and hybrid work has normalized the handling of sensitive HR changes by phone. Before 2020, a direct deposit change request might have required a form submitted in person or a visit to the HR office. Now, phone and email requests for sensitive changes are standard practice at most organizations. The behavioral baseline that voice clone fraud exploits — "of course you can update your direct deposit by calling HR" — was established and reinforced during years of remote work accommodation.
Additionally, HR staff often have access to the entire employee population's sensitive financial data. A single successful social engineering call to an HR generalist can expose payroll accounts for hundreds of employees, not just the individual being impersonated. The attack surface per HR employee is uniquely broad.
Only 18% of organizations train employees specifically on phone-based social engineering recognition. For HR and payroll staff — who are the primary targets of voice-based payroll diversion attacks — this training gap creates a direct financial risk to every employee in the organization.
HR-Specific Prevention Controls
Never process direct deposit changes based solely on a phone call
This is the single most important HR-specific control. Any request to change an employee's direct deposit banking information must require a written request submitted through the employee self-service portal (where the employee authenticates with their own credentials) plus a callback verification to the employee's existing number on file — not the number that called HR. A phone request alone, no matter how convincing the voice, is never sufficient authorization for a banking change.
Pre-agreed passphrase between executives and payroll
The CEO, CFO, and any other executive whose voice could be used to authorize an off-cycle payroll or special payment should establish a pre-agreed passphrase with the payroll director — a random, nonsensical phrase agreed upon face-to-face and never documented digitally. Any phone request for a payroll action from an executive that cannot supply the passphrase is not acted on, regardless of how convincing the voice sounds.
Secondary channel verification for any off-cycle payroll request
Any executive request for an off-cycle payroll run, emergency payment, or unusual compensation action must be confirmed through a completely separate channel — email from the executive's verified address plus a callback to a stored number, or in-person confirmation. The request cannot be acted on based on phone instruction alone. Urgency and confidentiality instructions from the caller are themselves red flags that should trigger more verification, not less.
Dual authorization for any payment above threshold
Off-cycle payroll runs and any payment above a defined dollar threshold should require independent authorization from two separate people through independent channels. Neither authorizer should rely solely on a verbal phone instruction. The second authorizer must independently verify the legitimacy of the request — not simply confirm what the first person told them.
Real-time AI voice detection on HR and payroll calls
Vicall's on-device synthetic voice detection gives HR and payroll staff a REAL VOICE or SYNTHETIC DETECTED verdict in under one second. When an employee or executive calls HR about a sensitive change, Vicall surfaces the verdict before the conversation proceeds to the request. A SYNTHETIC DETECTED verdict ends the call and triggers the verification protocol — regardless of how convincing the voice sounds.
Training HR Staff: Urgency Is the Primary Red Flag
KnowBe4's analysis of 67 million simulated security tests shows that security awareness training reduces susceptibility by 86% over 12 months. For HR staff specifically, training should focus on three reflexes: recognizing urgency as a social engineering signal rather than a service priority, requiring written confirmation before processing any sensitive change regardless of who is calling, and understanding that confidentiality instructions ("don't tell anyone about this") from a caller are a classic social engineering technique designed to prevent verification.
Simulated vishing exercises — where a trainer calls HR staff posing as an executive or employee requesting a sensitive change — are particularly effective. These exercises build the verification reflex in a low-stakes environment. HR staff who have practiced recognizing and responding to a cloned-voice scenario are measurably more resistant to the real attack.
What to Do If Payroll Was Diverted
- Notify the payroll processor immediately — request that any pending payment to the fraudulent account be halted or reversed before the next disbursement cycle.
- Contact the sending bank — if a wire has already processed, request a recall. Banks can only act if funds remain in the receiving account.
- Contact the receiving bank — provide the fraudulent account details and request a fraud hold.
- File an FBI IC3 report at ic3.gov — if the total loss across all diverted paychecks meets $50,000 and is reported within 72 hours, the FBI's Financial Fraud Kill Chain can be activated. This mechanism froze $561.6 million in 2024.
- Contact the nearest FBI field office — particularly if multiple employees were targeted or if the attack appears coordinated.
- File an FTC report at reportfraud.ftc.gov.
- Notify affected employees — employees whose banking information was fraudulently changed should be notified immediately. They may also need to take steps to protect their personal bank accounts if those details were exposed.
- Preserve all evidence — call logs, any voicemails, the details of what was said during the fraudulent call, all payroll change records, and bank transaction documentation.
Frequently Asked Questions
Payroll diversion fraud occurs when a criminal contacts an HR or payroll department — typically by phone — posing as an employee and requests a change to the employee's direct deposit banking information. If the change is processed, the employee's next paycheck is deposited into an account controlled by the fraudster rather than the employee's actual account. Voice cloning makes this attack far more convincing because the caller sounds exactly like the employee being impersonated.
HR staff are selected and trained to be responsive, empathetic, and action-oriented when employees have needs. This service orientation is a professional strength — and a structural vulnerability to social engineering. Attackers exploit this by framing requests as urgent personal matters: "I just switched banks and need my direct deposit updated before Friday's payroll run." The HR professional's instinct is to help, not to suspect.
A criminal clones an executive's voice — typically a CEO or CFO — and calls the payroll department or HR director requesting an urgent off-cycle payroll payment or a special bonus disbursement. The executive's voice is often publicly available from all-hands recordings, conference appearances, or company videos. The cloned voice creates urgency: "I need this processed today, it's a confidential retention payment." Payroll staff, hearing a familiar authority figure, may process the request before verifying.
Notify the payroll processor immediately to halt or reverse any pending payments to the fraudulent account. Contact the sending bank to request a wire recall. Contact the receiving bank with full account details. File an FBI IC3 report at ic3.gov — if the loss is $50,000 or more and reported within 72 hours, the FBI's Financial Fraud Kill Chain can freeze funds. File an FTC report at reportfraud.ftc.gov. Preserve all evidence including call logs and any communications.
Yes. A criminal posing as an executive or HR colleague can call HR staff and request sensitive employee data — Social Security numbers, benefits information, salary details — under the pretext of a legitimate business need. This data can then be used for identity theft, tax fraud, or to build more convincing pretexts for subsequent financial fraud. The same verification protocols that protect against payroll diversion also protect against voice-based data extraction.
Protect Your Organization From
Voice Clone Fraud.
Vicall detects synthetic voices in under one second — on-device, no cloud, any phone. Deploy for your team through the MSP portal.
Get StartedRelated Resources
Learn more about phone-based social engineering, voice fraud, and how to protect your organization.