Skip to main content
Detect Payroll Fraud Before Payroll: Prioritized Rule Catalog, Thresholds and Triage Runbook

Detect Payroll Fraud Before Payroll: Prioritized Rule Catalog, Thresholds and Triage Runbook

Building a practical fraud detection system that catches schemes before money leaves your account

Payroll fraud detection isn't working at most companies. Not because they lack controls — they usually have plenty. The problem is that detection happens backwards. Companies catch fraud during annual audits, after termination investigations, or when employees notice something wrong with their paychecks. By then, the money's gone.

The pattern is pretty consistent: companies focus on catching fraud after the fact instead of building triggers that fire before payroll actually processes. That gap is expensive — often somewhere in the range of $40,000–$50,000 per incident once you factor in investigation costs, corrections, and legal exposure.

The Duplicate Direct Deposit Problem Nobody Watches

Duplicate direct deposit changes are probably the most common payroll fraud vector, and most systems miss them entirely. An employee updates their direct deposit twice within a pay period — once legitimately, once not. The second change routes the paycheck somewhere else, often just hours before payroll runs.

Standard payroll systems treat each change as an isolated event. They don't flag when Employee ID 4782 updates their routing number on Tuesday, then again Thursday afternoon. The system keeps the latest version and sends the money wherever Thursday's change pointed.

Rule: Flag any employee with 2+ direct deposit changes within 5 business days Threshold: Automatic flag at 2 changes, escalation at 3+ Response time: Within 2 hours during payroll week, within 24 hours otherwise

The timing component is what makes this effective. Fraudulent changes cluster around payroll processing dates. Legitimate changes spread randomly across the month. Multiple changes right before payroll runs — that's the signal.

One manufacturing company implemented this single rule and caught three fraud attempts in the first quarter. The fraudsters were using compromised credentials to change direct deposits 4–6 hours before the batch processed, banking on the fact that most companies don't review changes that close to runtime.

Outlier Pay Amounts That Signal Manipulation

Pay amount anomalies work differently than most people expect. Fraudsters rarely create massive, obvious increases. They exploit legitimate pay categories to build plausible-looking outliers that don't immediately stand out.

The schemes that actually work tend to run through:

  1. Overtime authorization manipulation
  2. Commission calculation adjustments
  3. Retroactive pay corrections
  4. Bonus payment timing changes
  5. Shift differential modifications

Here's the detection framework that actually catches these:

Pay CategoryNormal RangeYellow FlagRed FlagInvestigation Trigger
Base salary change0-3% quarterly3-8% change>8% changeAny mid-period adjustment
Overtime hours0-20% of base hours20-35% of base>35% of basePattern change >3 periods
CommissionWithin 25% of trailing 3-month avg25-50% variance>50% varianceNew commission without sales record
Retroactive pay<$500 per incident$500-2000>$2000Multiple retro pays same employee
Shift differentialConsistent with scheduleSchedule mismatchGhost shiftsHours without badge data

Fraud shows up as pattern breaks, not just high dollar amounts. An employee who never works overtime suddenly logging 25 hours is more suspicious than a regular overtime worker hitting 45. The baseline is what matters.

A real example from a healthcare company: their payroll admin created "weekend shift differentials" for administrative staff who never actually worked weekends. The amounts looked reasonable — $150–$300 per pay period — but the pattern was off. Administrative roles don't get shift differentials. The scheme ran for about 14 months before pattern detection caught it.

Admin Activity Spikes and Access Pattern Anomalies

Admin fraud operates differently than employee-initiated fraud. Admins have broader access, understand system limitations, and know which actions normally trigger alerts. Standard monitoring misses their schemes because it's watching the wrong signals.

Catching admin fraud means monitoring these specific patterns:

Off-hours access:

  1. Logins between 11 PM – 5 AM local time
  2. Weekend access without documented maintenance
  3. Access during company holidays
  4. Logging in immediately after normal termination processing

Volume anomalies:

  1. More than 10 employee record modifications in a single session
  2. More than 5 direct deposit changes within 24 hours
  3. Multiple retroactive pay adjustments on the same day
  4. Bulk overtime approvals without documentation

Cross-system indicators:

  1. Payroll changes without corresponding HR tickets
  2. Manual overrides bypassing approval workflows
  3. Direct database access instead of going through the application
  4. Gaps in audit logging or disabled logs

A distribution company caught their payroll admin running ghost employees by tracking session duration. Normal admin sessions ran 15–45 minutes. The fraudulent sessions lasted 3–5 minutes — just long enough to add a ghost employee or modify payment details, then log off.

Triage workflow for admin anomalies:

  1. Immediate lock (within 15 minutes)

    - Multiple failed authentication attempts followed by a successful login - Direct database access to payroll tables - Bulk deletion of audit records

  2. Same-day review

    - Off-hours access without prior notification - Manual payment processing outside the normal cycle - New vendor or employee creation after 6 PM

  3. Next-day review

    - Unusual volume of minor adjustments - Access from new IP addresses or devices - Workflow pattern changes that don't fit normal behavior

Most teams treat the next-day tier as low priority. That's usually a mistake — some of the more sophisticated schemes only show up in that tier because the fraudster is deliberately avoiding anything that looks like an immediate red flag.

Investigation Evidence Checklist

When fraud indicators fire, speed matters — but moving too fast creates legal problems and destroys evidence. This checklist makes sure you capture what you need while keeping the chain of custody intact.

Initial evidence preservation (first 2 hours):

  1. Screenshot all recent system changes by the flagged user
  2. Export audit logs for the past 30 days
  3. Back up the current payroll file before any modifications
  4. Document the exact trigger event and timestamp
  5. Preserve email communications related to the changes

System evidence collection (within 24 hours):

  1. Login history across all systems
  2. IP addresses and device identifiers
  3. Timestamp correlation between systems
  4. Failed login attempts before successful access
  5. VPN and remote access logs

Transaction evidence (within 48 hours):

  1. Bank account change documentation
  2. Payroll register comparisons before and after
  3. General ledger entries tied to payroll
  4. Tax filing records for affected periods
  5. Written authorization forms, physical or digital

Pattern analysis evidence (within 72 hours):

  1. Historical changes made by the same user
  2. Similar patterns across other employee records
  3. Timing analysis relative to payroll cycles
  4. Comparison with terminated employee records
  5. Cross-reference with IT security incidents

One thing most investigations miss: system correlation. Payroll fraud usually starts somewhere else — compromised email, an HR system, a weak password — and then reaches payroll. Looking at payroll in isolation misses the full chain.

The Real Cost of Weak Detection

A regional retail chain found out the hard way. Their fraud "detection" was annual audits and employee complaints. By the time they found the problem, here's where they stood:

  1. $284,000 in fraudulent payments over 18 months
  2. 12 ghost employees spread across 4 locations
  3. 47 employees with modified pay rates
  4. $67,000 in incorrect tax withholdings
  5. $34,000 in legal and forensic accounting fees

It started with one ghost employee, $400 per pay period. Three months of silence gave the fraudster confidence to escalate. By month 18, multiple schemes were running simultaneously.

The total damage wasn't just financial. Correcting 18 months of tax records across multiple locations took the better part of a year and pulled their HR team away from everything else. The investigation cost them more in lost productivity than the forensic fees suggest.

Building Your Detection Workflow

Effective payroll fraud detection doesn't require massive technology investment. It requires prioritized rules and clear workflows.

Week 1–2: Baseline establishment

  1. Document current normal patterns
  2. Identify high-risk roles and access points
  3. Set initial thresholds from historical data
  4. Define your investigation team structure

Week 3–4: Rule implementation

Priority order:

  1. Duplicate direct deposit detection
  2. Outlier pay amount monitoring
  3. Admin activity tracking
  4. Ghost employee indicators
  5. Timecard manipulation patterns

Week 5–6: Workflow testing

  1. Run rules against historical data
  2. Measure false positive rate
  3. Adjust thresholds accordingly
  4. Train the investigation team

Ongoing: Refinement

  1. Weekly threshold review in the first quarter
  2. Monthly pattern analysis updates
  3. Quarterly rule effectiveness check
  4. Annual full system review

The implementation order matters more than most people realize. Companies that try standing up all rules at once create alert fatigue — the investigation team gets overwhelmed, starts ignoring flags, and the system quietly fails. Phased rollout, starting with the highest-risk areas, works consistently better.

This diagram summarizes the phased detection implementation and triage flow.

Process diagram

Phased rollout, starting with the highest-risk areas, works consistently better.

Technology and Tool Requirements

Basic fraud detection doesn't require advanced tooling, but the right setup makes a real difference. Most mid-size companies can build solid detection from existing systems plus some focused monitoring.

Minimum viable toolset:

  1. Payroll system audit log exports
  2. Excel or basic SQL for pattern analysis
  3. Email alerts for threshold breaches
  4. Secure documentation for investigations

Start with audit log exports and a simple SQL query to find duplicate direct deposit changes.

Enhanced detection capabilities:

  1. Automated log aggregation across systems
  2. Real-time alerting on critical changes
  3. Dashboard for pattern visualization
  4. Integrated case management for investigations

The main difference between basic and enhanced isn't capability — it's response time and pattern recognition. Basic detection might catch fraud within a pay period. Enhanced detection catches it within hours.

This is also where properly configured access controls become critical. Without granular permissions, your detection system triggers constantly on legitimate activity. With proper role-based access, unusual behavior stands out immediately instead of getting buried in noise.

Combining fraud detection with systematic pre-filing validation creates multiple checkpoints. Fraud that gets past one layer tends to get caught by another.

Moving from Reactive to Proactive

When employees and administrators know that patterns are being monitored — that anomalies trigger reviews and investigations follow clear procedures — fraud attempts drop. Deterrence is underrated as an outcome here.

A logistics company implemented this full detection framework and saw something worth noting. The first month turned up two attempted fraud schemes. By month six, attempts had stopped entirely. The deterrent effect ended up being stronger than the detection itself.

What made their system work:

  1. Clear internal communication that monitoring was active
  2. Consistent follow-through on every trigger, not just obvious ones
  3. A transparent process for clearing false positives so staff didn't feel surveilled arbitrarily
  4. Regular rule updates based on emerging patterns

Their payroll manager made an observation that stuck: the system didn't only catch fraud — it caught legitimate errors too. Mistakes that would have caused over or underpayments got flagged and fixed before payroll ran. The fraud detection layer quietly became a quality control layer as well.

Every company processing payroll already has the data needed for this kind of detection. The only question is whether you analyze it before payroll runs or after a fraud investigation forces you to. The framework here — duplicate direct deposit monitoring, pay amount anomaly detection, admin activity tracking — is a practical starting point. Customize the thresholds to fit your organization's actual patterns, adjust the investigation procedures based on your team's capacity, and implement something. Most fraud schemes succeed simply because detection came too late.

Every company processing payroll already has the data needed for this kind of detection. The only question is whether you analyze it before payroll runs or after a fraud investigation forces you to. The framework here — duplicate direct deposit monitoring, pay amount anomaly detection, admin activity tracking — is a practical starting point. Customize the thresholds to fit your organization's actual patterns, adjust the investigation procedures based on your team's capacity, and implement something. Most fraud schemes succeed simply because detection came too late.

Built for Businesses Tailored payroll solutions for all company sizes and industries
Save Time Automate complex calculations, filings, and reporting
Ensure Compliance Stay up-to-date with evolving tax laws and labor regulations
Empower Employees Simplified pay stubs, benefits access, and support