A form of account takeover where an attacker changes the destination of salary, stipend, or refund payments to an account they control. The fraud succeeds by abusing trusted self-service workflows and weak identity verification at the moment of change.
Expanded Definition
Direct deposit fraud is an account takeover pattern in which an attacker redirects recurring payments, such as payroll, stipends, tax refunds, or vendor reimbursements, to an account they control. In NHI and IAM programs, it is best understood as a trust-boundary failure in a self-service change workflow, not merely a payroll issue. The attacker usually exploits weak identity verification, reused credentials, session theft, or poor step-up authentication at the moment the payout destination is edited. That makes the attack closely related to NIST Cybersecurity Framework 2.0 concerns around access control, detection, and recovery, even when the affected account is human-owned.
Definitions vary across vendors when the term is applied to employee records, contractor portals, benefits systems, or refund services, but the security pattern is consistent: the payment route changes while the legitimate identity remains active. In practice, the control question is whether the workflow verifies intent at the change point, not just at login. That is why NHI governance treats this as a lifecycle and assurance problem, especially where service accounts, automated approvals, or delegated admin paths can alter destination data without strong binding to the real actor. The most common misapplication is assuming a successful password login proves payment-change legitimacy, which occurs when systems skip re-verification for high-impact profile edits.
Examples and Use Cases
Implementing direct deposit fraud controls rigorously often introduces friction for legitimate users, requiring organisations to weigh faster self-service updates against stronger verification and change assurance.
- An employee updates payroll routing through a portal after an attacker has captured the session, causing the next salary cycle to pay the attacker’s account.
- A contractor management system lets a compromised account change bank details without step-up verification, creating a quiet diversion that is only noticed after reconciliation.
- A university stipend platform accepts destination changes from a portal protected only by password login, making it vulnerable to credential stuffing and inbox compromise.
- A refund service uses an automated approval path for payment edits, but the approval tool itself is a high-value NHI with insufficient access review and logging. The Ultimate Guide to NHIs is useful here because it frames how weak lifecycle controls and secret exposure amplify downstream abuse.
- A payroll team accepts bank-detail changes by email, but the request is spoofed or forwarded from a compromised inbox, bypassing the intended identity workflow.
For a standards lens, organisations can map these scenarios to identity assurance and access review expectations in NIST Cybersecurity Framework 2.0, especially where the change itself is the asset.
Why It Matters in NHI Security
Direct deposit fraud matters to NHI security because the attack often succeeds through identities that are not treated as identities at all: payroll bots, HR integrations, ticketing automation, delegated approvers, and compromised user sessions that can alter financial destinations. NHIMG research shows that 79% of organisations have experienced secrets leaks, with 77% of those incidents causing tangible damage, and that 80% of identity breaches involved compromised non-human identities such as service accounts and API keys. That matters here because payment-change workflows are frequently powered by those same unmanaged credentials and weakly governed integrations. The Ultimate Guide to NHIs also notes that only 5.7% of organisations have full visibility into their service accounts, which leaves many high-impact change paths effectively unaudited.
Practitioners should treat payment-destination changes as privileged events, with step-up authentication, out-of-band confirmation, logging, and rapid rollback paths. That design discipline aligns with the NIST Cybersecurity Framework 2.0 emphasis on protect, detect, and recover controls for high-risk transactions. Organisations typically encounter the full cost only after a legitimate payment is diverted and reconciliation exposes the loss, at which point direct deposit fraud becomes operationally unavoidable to address.
Standards & Framework Alignment
This section maps relevant standards and security frameworks to the operational risks and controls described in this guidance.
OWASP Non-Human Identity Top 10 address the attack and risk surface, while NIST CSF 2.0 and NIST SP 800-63 set the governance and control requirements practitioners need to meet.
| Framework | Control / Reference | Relevance |
|---|---|---|
| OWASP Non-Human Identity Top 10 | NHI-02 | Changed payout destinations are often enabled by poor secret and workflow protection. |
| NIST CSF 2.0 | PR.AC-4 | Least-privilege and access management govern who can alter sensitive account data. |
| NIST SP 800-63 | AAL2 | Assurance levels inform how strongly a user must be verified before making changes. |
Protect credentials and high-impact workflows so payment-routing changes cannot be abused.
Related resources from NHI Mgmt Group
- What is the difference between direct access and effective access in Active Directory?
- What is the difference between IAM roles and direct API keys for AI workloads?
- What is the difference between direct account compromise and SaaS supply chain compromise?
- Why do SaaS supply-chain attacks create a larger blast radius than direct account compromise?
Deepen Your Knowledge
Reviewed and updated by the NHIMG editorial team on June 23, 2026.
NHI Mgmt Group — the #1 independent authority on Non-Human Identity, IAM, and Agentic AI security. nhimg.org
