What Should HR and Payroll Do in the First Hour After Wire Fraud?
The first hour after a payroll fraud is discovered determines whether any funds are recoverable. Wire and ACH transactions clear quickly — every minute between discovery and a recall request increases the probability that funds have been withdrawn from the destination account. Two parallel tracks must open simultaneously: the financial recovery track through your bank and payroll processor, and the internal incident track through your executive team.
Call bank wire fraud desk AND payroll processor fraud line simultaneously
Do not call one and then the other — call both at the same time using separate phones or assign two team members to each call. For wire transfers, your bank's wire fraud desk can issue an urgent recall request to the receiving bank while funds are still in transit. For ACH direct deposit fraud, your payroll processor must initiate the NACHA return file. Key payroll processor fraud lines: ADP: 800-225-5237 | Paychex: 877-229-2436 | Gusto: in-app fraud report via Settings → Support. If you use a regional payroll bureau, locate their emergency fraud line before you need it — call during business hours and save the number now.
Document all direct deposit change requests and authorization records
Preserve everything: call logs, any voicemails, payroll system change records showing when the fraudulent banking update was made and by whom, any emails or portal submissions related to the change, and the payroll run records showing which employees were affected and total amounts. Do not alter, delete, or "clean up" any records — forensic investigators and law enforcement need original artifacts. If the fraudulent request came through a potentially compromised email account or phone system, notify IT immediately and use a separate, uncompromised channel for all subsequent communications about the incident.
Alert CFO and CHRO immediately
The CFO must authorize the emergency wire recall request (banks often require executive authorization for large recall requests) and must reserve funds from operating accounts to re-pay affected employees on schedule — do not wait for recovery before reserving re-payment funds. The CHRO must be looped in immediately to coordinate employee notification timing and to engage employment counsel before any communication goes to affected employees. Use a verified, uncompromised communication channel — if company email is suspected in the fraud vector, use personal phones or a dedicated out-of-band communication channel.
Do not use potentially compromised systems or email
If the fraud originated from or was enabled by a compromised email account, shared payroll system credential, or a device that was used in the fraudulent call, quarantine those systems immediately. Continuing to use a compromised system risks contaminating evidence and potentially enabling a follow-on attack. Coordinate all incident response communications through uncompromised channels — this may mean personal mobile phones, a secondary conference call service, or an in-person meeting for the initial response team.
Identify which employees were affected and which payroll run was hit
Pull the payroll run records to identify every employee whose direct deposit was redirected to the fraudulent account. Document the payroll run date, total gross affected payroll, number of employees, and payroll period covered. This list is needed immediately for: (a) re-payment prioritization, (b) IC3 filing, (c) bank recall request specifics, (d) employee notification, and (e) insurance claim documentation. If only certain employees were targeted (e.g., only those who called HR in the prior two weeks requesting a banking change), the scope of the attack may be narrower — document this for law enforcement.
Wage claim alert: Affected employees have immediate wage claims under state labor law — employers cannot delay re-payment of wages even while recovering the fraudulent transfer. California, New York, and several other states require re-payment within one business day or by the next regular pay period. Consult employment counsel on your state's specific wage payment deadline before communicating any timeline to employees.
How Do You File an FBI IC3 Report for HR and Payroll Wire Fraud?
The FBI's Internet Crime Complaint Center (IC3) is the gateway to the Financial Fraud Kill Chain (FFKC), a coordinated bank-law enforcement mechanism that can freeze fraudulent wire transfers still in the banking system. For HR and payroll fraud, the FFKC is most effective on wire transfers — ACH direct deposit fraud has a separate, bank-driven recall process through NACHA that must run in parallel. Filing an accurate, complete IC3 report with payroll-specific data maximizes the probability of FFKC activation.
Go to ic3.gov and begin a new complaint immediately
Navigate to ic3.gov and select "File a Complaint." The FFKC requires IC3 filing within 72 hours of the fraudulent transfer for wire components. File as soon as you have the basic details — you can supplement with additional information after the initial filing. Do not wait until you have a complete picture of the fraud before filing; partial, timely information activates the Kill Chain faster than complete, delayed information.
Enter payroll-specific IC3 data accurately
Include all payroll-specific details in your IC3 filing: the payroll run date, total amount diverted, number of employees affected, your payroll processor's name and case number, and — critically — whether the fraud was an ACH direct deposit redirect or a payroll wire. These details determine which FBI units and bank contacts are engaged. Misclassifying ACH fraud as a wire fraud can delay the response. If both mechanisms were used (e.g., a wire to a vendor and ACH redirects for employee payroll), file both in the same complaint.
Document the fraud vector: voice cloning, email compromise, or both
IC3 uses fraud vector data to classify and route complaints. For payroll diversion via voice cloning, indicate: business email compromise (BEC) if email was involved, vishing/phone fraud if the attack was voice-based, and social engineering as the method. Describe the voice cloning specifically — IC3 and the FBI are actively tracking AI-voice-enabled fraud and this classification affects which specialized unit receives the referral. Attach any call recordings, voicemails, or audio evidence if available.
Note the ACH vs. SWIFT distinction and pursue both simultaneously
ACH direct deposit fraud has a different recall mechanism than SWIFT wire fraud. NACHA Operating Rule 8.4 permits the originating bank to initiate an ACH return for up to 5 banking days after settlement for unauthorized entries. This recall goes through your payroll processor to the originating bank and then to the receiving bank via the ACH network — not through IC3. Pursue the ACH recall through your payroll processor and bank simultaneously with the IC3 filing. Do not assume IC3 covers ACH — it does not directly.
Follow up with your local FBI field office
After filing IC3, contact your nearest FBI field office directly — particularly if multiple employees were targeted, if the total loss is substantial, or if you have reason to believe the attack was coordinated or part of a broader campaign. The FBI's financial crimes and cyber squads in major field offices have dedicated BEC and payroll fraud investigators. Provide your IC3 complaint number to the field office. If the attack involved a vendor impersonation (e.g., ADP or Paychex were impersonated to re-route employer ACH instructions), the scope may extend beyond your organization and federal investigation is more likely.
What Employer Legal Obligations Exist After Payroll Fraud Affects Employees?
Payroll fraud creates not just a financial loss but a matrix of employer legal obligations that must be managed simultaneously with recovery efforts. Wage law, tax law, data breach law, and potentially ERISA all create independent obligations with independent deadlines. HR compliance counsel should be engaged within the first few hours to prioritize and sequence these obligations correctly.
Wage and hour law: re-pay affected employees within the state deadline
The employer's obligation to pay earned wages is not interrupted by a fraudulent diversion — the fraud victim is the employer, not a legal excuse for non-payment of employee wages. State wage payment deadlines vary: California requires immediate payment of any delayed wages (DLSE guidance), New York requires payment by the next regular pay period (NY DOL), and Texas generally requires payment by the next regular payday (Texas TWC). Employers who fail to re-pay within the state deadline face wage claim exposure, including potential penalties and attorneys' fees in states with strong wage enforcement regimes. Reserve re-payment funds immediately and do not wait for recovery before re-paying.
IRS: W-2c correction and employment tax guidance
If the fraudulent payroll run distorted payroll tax records — because payroll taxes were withheld from wages that never reached the correct employees, or because the payroll run created tax records that do not match employees' actual income — the employer may need to file Form W-2c (Corrected Wage and Tax Statement) for affected employees. Employment taxes withheld on the fraudulent payroll run may have been deposited with the IRS; the employer's tax advisor must determine whether re-payment to employees creates a duplicate withholding issue requiring IRS coordination. Document all tax implications as part of the incident record.
State wage agency notification
Several states require employer notification to the state wage agency when payroll failures occur. California's DLSE, New York's Department of Labor, and Texas' TWC each have distinct requirements. Even where notification is not explicitly required, proactively contacting the state wage agency to document the fraud and the employer's re-payment plan can establish good faith and reduce penalty exposure if an employee files a wage complaint. Employment counsel should advise on state-specific notification requirements within the first 48 hours.
Employee data breach notification
If the payroll fraud required access to — or resulted in the exposure of — employee banking information (routing numbers, account numbers), Social Security numbers, or other personal financial data, state data breach notification laws may require notification to affected employees and, in some states, to the state attorney general. Most states define a data breach as unauthorized access to personal financial information, regardless of whether the information was "used" in the traditional sense. If employee banking data was accessed to redirect direct deposits, assume breach notification obligations apply and engage privacy counsel immediately.
ERISA: DOL notification if 401(k) contributions were redirected
If the fraudulent payroll run redirected employee 401(k) deferrals or employer matching contributions — or if a fraudulent vendor impersonation redirected the employer's plan contribution wire — ERISA plan fiduciary obligations are implicated. The Department of Labor requires plan fiduciaries to take prompt corrective action when plan assets are subject to fraud, and DOL notification may be required. Engage ERISA counsel in addition to employment counsel if retirement plan contributions were any part of the fraudulent diversion.
Communication risk: Do not characterize the fraudulent payroll diversion as an employee's fault in any written communication — this creates harassment and wrongful termination exposure regardless of what actually happened. All employee communications about the incident should be drafted or reviewed by employment counsel before distribution.
What Insurance Claims Should HR and Payroll File After Wire Fraud?
Most organizations have at least one insurance policy that covers payroll wire fraud losses, though coverage depends on endorsements, sublimits, and the specific fraud vector. HR and payroll fraud triggers multiple potential coverage lines simultaneously — filing promptly and with the right documentation is essential because late notice can void coverage under some policy forms.
Crime / fidelity bond — primary coverage for fraudulent funds transfer
Commercial crime policies and fidelity bonds typically include a "fraudulent funds transfer" or "social engineering fraud" coverage form that covers wire fraud losses resulting from a criminal impersonating a vendor, executive, or employee. This is usually the primary recovery vehicle for payroll wire fraud. Review your policy for social engineering sublimits — many crime policies have a lower sublimit for social engineering fraud (e.g., $100,000) than for general theft (e.g., $1 million). The social engineering sublimit is the relevant coverage for a voice-clone-enabled payroll fraud. Key carriers: Chubb, The Hartford, Hiscox, Travelers, CNA.
Cyber liability with social engineering / funds transfer fraud endorsement
Cyber liability policies increasingly include a funds transfer fraud endorsement that covers losses from fraudulent wire instructions resulting from social engineering, including voice-based social engineering. Coverage is separate from the crime policy social engineering sublimit and may provide additional limits. Some cyber policies also cover the forensic investigation costs of identifying how the fraud occurred — particularly relevant if IT systems or payroll portals were compromised. Carriers with strong cyber social engineering coverage: Hiscox, Coalition, Chubb, Beazley, Corvus.
Employment practices liability (EPLI) if employees allege wrongful acts
If affected employees allege that the employer's negligence in failing to protect payroll — or in communicating about the incident — constitutes a wrongful employment act, EPLI coverage may be triggered. This is more likely if the employer delays re-payment beyond the state wage deadline, if employee communications are mishandled, or if an employee alleges that their personal banking information was disclosed or used improperly. EPLI does not cover the direct fraud loss, but it covers the defense costs and settlements of employee claims arising from the incident. Notify your EPLI carrier simultaneously with your crime and cyber carriers.
Directors and officers (D&O) if executive impersonation enabled the fraud
Where the fraud succeeded because a voice-cloned executive's instructions were followed — and the executive's authority was the mechanism by which approval controls were bypassed — D&O may be implicated if shareholders or the board allege that officers failed to implement adequate financial controls. D&O notification is more relevant for larger organizations and publicly traded companies where governance failures may attract regulatory attention or shareholder derivative actions. Consult corporate counsel on D&O notification timing.
For all insurance claims, compile the following documentation package before filing: IC3 complaint number and acknowledgment, bank fraud case number from the sending bank, payroll processor fraud case number, local police report, full list of direct deposit change requests and authorization records showing when the fraudulent change was made, employee communication log (all communications to affected employees about the incident), and any audio recordings or call logs from the fraudulent call.
How Should HR and Payroll Prevent Wire Fraud After an Incident?
After a payroll fraud incident, the organization has a narrow window of elevated awareness during which new controls are most likely to be approved, funded, and adopted. Use this window to implement the controls that would have prevented the incident — and that will prevent the next one. Voice-clone-enabled payroll fraud is not a one-time attack type; organizations that have been targeted once are often targeted again within 6 to 12 months, once the initial investigation cools.
Never process direct deposit changes via phone or unverified email
This is the single most impactful control. All direct deposit changes must be submitted through the employee self-service portal (where the employee authenticates with their own credentials), or — where portal access is not available — through a written request submitted in person with employee ID verification. Phone requests for direct deposit changes are never sufficient authorization, regardless of who is calling or how convincing the voice sounds. Any banking change submitted through an unverified channel must be rejected and the employee directed to the verified channel. Document this policy in writing, train all HR and payroll staff on it, and post it as a permanent notice in the payroll processing area.
Dual authorization required for payroll wire runs above threshold
Any payroll wire run — or any off-cycle payroll run above a defined dollar threshold — must require independent authorization from two separate approvers through independent, verified channels. Neither approver may rely solely on a phone instruction from the other approver or from an executive. The second approver must independently verify the legitimacy of the payroll run through the payroll system, not by calling back the person who made the request. Set the dual authorization threshold conservatively: a good starting point is any single payment above $25,000 or any off-cycle run regardless of amount.
Verbal passphrase protocol for any out-of-band payroll change request
Establish a pre-agreed verbal passphrase between executives and payroll leadership for any out-of-band payroll request (a request that arrives outside the normal payroll approval workflow, by phone, or with urgency). The passphrase is a random, nonsensical phrase agreed upon face-to-face and never documented digitally. Any phone request for a payroll action that cannot supply the passphrase is not acted on — regardless of how convincing the voice sounds. Update the passphrase quarterly or whenever a participating executive leaves the company.
Deploy Vicall to flag AI voice cloning on HR and payroll department phone lines
Vicall's on-device synthetic voice detection gives HR and payroll staff a REAL VOICE or SYNTHETIC DETECTED verdict in under one second, before the call proceeds to any sensitive request. When a caller claiming to be an employee or executive contacts HR about a banking change or payroll action, Vicall surfaces the verdict in real time. A SYNTHETIC DETECTED verdict ends the call immediately and triggers the fraud verification protocol — removing the human judgment element from the moment of highest vulnerability. Vicall operates on-device with no cloud dependency, meaning it works on any phone line without infrastructure changes. See how voice clone fraud works and the HR and payroll threat landscape for full context on the threat Vicall addresses.
Annual vishing training for payroll administrators and HR staff
Simulated vishing exercises — where a trainer calls payroll and HR staff posing as an executive, employee, or vendor requesting a sensitive change — are the most effective training format for this threat. KnowBe4 data shows that simulated social engineering training reduces susceptibility by 86% over 12 months. For HR and payroll staff specifically, training should build three reflexes: recognizing urgency and confidentiality instructions as red flags rather than service cues, requiring written and authenticated confirmation before processing any sensitive change, and knowing exactly what to say when ending a suspicious call ("I need to verify this request through our secure portal — I'll follow up within one business day"). Run simulations at least annually; quarterly is better. See the HR and payroll voice clone attack response guide for a full incident response protocol to complement the training program.
Frequently Asked Questions
Recovery depends on speed and payment method. For wire (SWIFT) transfers, the FBI Financial Fraud Kill Chain (FFKC) can freeze funds if IC3 is filed within 72 hours of the fraudulent transfer and the total loss is $50,000 or more. The FFKC had a 66% success rate in 2024 according to FBI data. For ACH direct deposit fraud, NACHA Operating Rule 8.4 allows the originating bank to request a recall for up to 5 banking days after settlement. The ACH recall process runs through the bank, not IC3. Both mechanisms require immediate action — funds recovered after withdrawal from the destination account are nearly impossible to trace.
Yes. Under state wage and hour law, the employer's obligation to pay employees their earned wages is not relieved by a fraudulent diversion of those wages. The employer bears the risk of a payroll failure, not the employee. Most states require re-payment within the next regular pay period; some states (California, for example) require same-day or next-day payment for wage failures. Employers must re-pay affected employees on the normal wage payment timeline while simultaneously pursuing recovery through bank recall and IC3.
If payroll tax deposits or W-2 amounts were distorted by the fraudulent payroll activity, the employer may need to file Form W-2c (Corrected Wage and Tax Statement) for affected employees. Employment taxes withheld from a payroll run that was fraudulently diverted may have already been deposited with the IRS — the employer should consult a tax advisor about whether those deposits create basis for a correction or whether re-payment to employees creates a duplicate withholding issue. IRS guidance on payroll fraud tax treatment is available through IRS Publication 15 and direct inquiry to the employer's tax advisor or payroll processor.
The FBI IC3 2024 Annual Report documents Business Email Compromise and related social engineering fraud losses exceeding $2.77 billion for the year, with payroll diversion schemes a significant and growing subset. The Association of Certified Fraud Examiners (ACFE) 2024 Report to the Nations found that payroll fraud schemes cause a median loss of $100,000 per incident and persist for a median of 24 months before detection. Voice cloning has dramatically accelerated payroll fraud: Keepnet Labs documented a 1,633% increase in deepfake vishing attacks in Q1 2025 alone, with HR and payroll departments among the primary targets.
In most cases, the liability is the organization's, not the individual HR employee's — provided the employee was acting in good faith and within the scope of their duties, and the organization had not established policies that the employee knowingly bypassed. Fidelity bond and crime insurance coverage typically covers the organization's loss from social engineering fraud, including voice-based fraud. Individual employees may face internal disciplinary action if a protocol was not followed, but personal civil liability to the employer or to affected employees is uncommon unless there is clear evidence of negligence or complicity. HR leaders should document that verification protocols were followed or, where they were not, initiate corrective action on the protocol gaps rather than on the individual.
Know If That Voice Is Real
Before You Process the Request.
Vicall detects synthetic voices in under one second — on-device, no cloud, any phone. Find out your organization's voice clone risk in 2 minutes.
Take the Voice Clone Risk Quiz →Related Resources
Learn more about phone-based social engineering, voice fraud, and how to protect your organization.