Man giving presentation

Internal controls to combat payroll direct deposit fraud

Authored by Daniel Karnick

Old game, different tricks

Prevalence of phishing schemes have prompted warnings of cybercriminals defrauding organizations by impersonating vendors and employees, hacking email accounts and self-service portals and accessing vendor payments and payroll direct deposit accounts. The scenarios are as creative as a choose-your-adventure in fund diversion. Fraudsters are always ready to apply a different spin on old deceit.

Baker Tilly’s state and local government specialists have become aware of recent cases of payroll direct deposit fraud that follow a malicious playbook of low and high tech trickery. Posing as a government employee, the scammer contacts the payroll/HR department to request payroll direct deposit bank information changes. The scammer receives a payroll change form, falsifies the form and supplies a personal check with a new account and bank routing number. The payroll changes are executed without further thought – until the employee realizes they have not been paid.

When state and local governments unwittingly process fraudulent changes, the perpetrators syphon payments from legitimate, approved invoices and payroll direct deposit accounts – while the real employees and vendors go unpaid. On top of everything it takes to effectively run governments, staying ahead of fraudulent criminal activity is of critical importance.

Public, transparent, a fraudster’s paradise

In past insights on fraud vulnerabilities and preventative strategies, Baker Tilly has discussed the opportunities weak internal controls breed for occupational fraud and common vendor fraud schemes perpetrated upon governments whose public and transparent nature makes them particularly susceptible.

Due to the high degree of public transparency, an abundance of governmental vendor and employee information is available online – from meeting minutes to contact directories to vendor contracts. This is a goldmine for fraudulent actors on the prowl for documents and information to leverage for criminal gain. In this veritable fraudster’s paradise, governments get stuck with the financial and reputational repercussions.

Vigilance and prevention through strong internal controls

Such fraud schemes target weakness in the process of changing employee and vendor information. Governments can go a long way toward protecting their entities and employees by following these recommendations:

  • Conduct a thorough risk assessment
  • Evaluate current internal controls and, where necessary, implementing enhancements to existing internal controls
  • Educate employees about fraud detection and prevention

During an evaluation of your government’s anti-fraud internal controls, consider if the following measures are in place to adequately prevent the occurrence of payroll direct deposit, vendor or other change information fraud:

  • Process. Is there a formal process for documenting the verification and review of changes?
  • Approval. What is required for approval of a change? Does the department receiving the request require a personal check, social security number, in-person or phone verification or other means of identification to initiate the change process?
  • Independent review. Is an independent review required before the change can occur?
  • Education. Are employees properly educated on potential fraud schemes?
  • Exceptions. Are there any exceptions to standard payment and approval processes? If so, are the reasons for exceptions understood by employees and documented for reference?
  • Recourse. Do employees know what steps to take if they suspect fraud?


Fraudsters will continue targeting governments for their criminal schemes. Municipalities and other governmental entities can take a proactive approach to reducing susceptibility to payroll direct deposit fraud, vendor fraud and other forms of change information fraud. Conduct a robust risk assessment, regularly review internal controls and install new controls where needed, and educate employees. Through these efforts, governments can prevent, mitigate and identify fraudulent activities to avoid or lessen financial and reputational consequences.

For more information on this topic, or to learn how Baker Tilly state and local government specialists can help, contact our team.

Construction project planning meeting
Next up

The war for talent: recruitment strategies for the next generation of skilled workers