© 2026 I-Spy Detectives

Payroll Fraud Detection Methods

Payroll Fraud Investigations

Payroll Fraud Detection Methods

Jamie Styles | June 8, 2026 | 10:40 am

Payroll fraud sits in an uncomfortable place for most organisations. It is a clever financial fraud that can often sail under the radar, all while costing companies tens, if not[…]

Payroll fraud sits in an uncomfortable place for most organisations. It is a clever financial fraud that can often sail under the radar, all while costing companies tens, if not hundreds of thousands of pounds in the process. It involves the manipulation of a process that everyone in the business depends on and that very few people outside the payroll function are permitted to scrutinise closely. That combination — universal sensitivity and limited oversight — creates conditions that experienced fraudsters understand very well.

In the cases I have investigated, payroll fraud tends to be committed by people with legitimate system access: payroll administrators, HR managers, finance staff, and in some cases directors with the authority to approve their own remuneration. The access is not the anomaly. What is anomalous is the use being made of it — and that anomaly is rarely visible unless someone is actively looking for it.

The ACFE estimates that payroll fraud accounts for around 8% of occupational fraud cases, with a median loss of approximately £90,000 per scheme. In the cases I work on at the senior end, those figures are frequently exceeded. Payroll fraud that involves a director or a payroll manager with unchecked authority can run for years before it surfaces, and the cumulative losses can be substantial.

This article explains how payroll fraud operates, how it is detected, and what organisations can do to make their payroll function a harder target.

What Is Payroll Fraud?

Payroll fraud is the deliberate manipulation of a payroll system to generate unauthorised payments — whether to fictitious employees, to real employees at inflated rates, or directly to the perpetrator through misdirected funds. It is a form of asset misappropriation and, depending on the nature and scale of the conduct, can constitute offences under the Fraud Act 2006, the Theft Act 1968, and — where PAYE and National Insurance contributions are involved — relevant tax legislation.

What makes payroll fraud particularly difficult to address is the environment in which it operates. Payroll data is legitimately restricted. Employees are rightly protective of salary confidentiality. The people with access to the system are, by necessity, trusted individuals with the technical capability to make changes that will not immediately be apparent. These are not design flaws. They are the conditions payroll systems require in order to function. They are also, in the wrong hands, precisely what payroll fraud exploits.

Common Payroll Fraud Schemes

Payroll fraud takes several distinct forms, and in practice more than one is often operating simultaneously. Understanding each helps explain both how they persist and where the detection opportunities lie.

Ghost Employees

A ghost employee is a fictitious individual — or a genuine former employee — who remains on the payroll and continues to receive salary payments after leaving the organisation, or who was never a legitimate employee at all. The perpetrator controls the bank account to which the ghost’s salary is directed and pockets the payments directly.

Ghost employee schemes are among the most straightforward forms of payroll fraud to establish in environments with weak onboarding and offboarding controls. If a leaver’s record is not removed promptly from the payroll system, their salary continues to be processed as routine. If a new record can be created without independent verification, a fictitious employee can be inserted into the payroll with minimal effort.

I investigated a case at a logistics company where three ghost employees had been on the payroll for over two years. All three had been added by the same payroll administrator shortly after they joined the business. The bank accounts were registered to addresses connected to the administrator’s family members. The total diverted was just under £140,000. The fraud came to light not through any internal control, but because a new HR director conducted a headcount exercise that did not match the payroll register. That is a simple check. It had simply never been done.

Overtime Manipulation

Overtime fraud involves the submission or approval of inflated hours worked in order to generate additional pay that has not been earned. It can operate at the individual level — an employee falsifying their own timesheets — or through a management structure, where a supervisor approves fictitious overtime for their team in exchange for a share of the additional payment, or simply because the approval process is so superficial that fraudulent submissions pass without scrutiny.

This scheme is most prevalent in sectors where overtime is common, variable, and difficult to verify independently: construction, logistics, healthcare, and facilities management. In environments where timesheets are submitted on paper or through a system with limited audit trail capability, systematic overtime fraud can be maintained for extended periods.

What often surfaces this scheme is not a control catching a fraudulent entry, but a pattern that becomes visible when overtime data is reviewed in aggregate. Individual claims may be plausible. A consistent pattern of the same employees, the same supervisors, and the same pay periods appearing at the top of every overtime report is a different matter. In my experience, that pattern is rarely examined unless someone specifically looks for it.

Salary Diversion and Unauthorised Rate Changes

Salary diversion involves redirecting legitimate payroll payments — in whole or in part — to an account controlled by the perpetrator. It typically requires system access sufficient to modify bank account details or payment routing, and is most commonly committed by payroll administrators or finance staff with direct access to payment processing.

The related scheme of unauthorised salary adjustment involves an individual inflating their own pay rate, bonus entitlement, or benefit elections within the payroll system. This is a more direct form of fraud and arguably more audacious, but it persists in organisations where payroll changes are processed by the same function that approves them, and where a systematic comparison of current pay rates against authorised remuneration records is not part of any routine review.

I have encountered cases where a senior payroll manager had been incrementally increasing their own salary — by amounts small enough to fall within normal band progression — over a period of four years. By the time it was identified during a post-resignation review of their access activity, the accumulated excess was material. Each individual change, viewed in isolation, looked like a routine update. The pattern was only visible when all four years of changes were examined together.

Detecting Payroll Fraud

The most important thing I can say about detecting payroll fraud is that it almost never surfaces through the normal payroll process. Payroll runs are designed to process what is in the system, not to question whether what is in the system is legitimate. Detection requires a separate layer of scrutiny — one that looks at the payroll data from the outside, with investigative intent rather than operational routine.

The detection indicators I look for when a concern has been raised, or as part of a proactive payroll review, include:

  • Employees whose bank account details share an address, sort code, or account number with another employee or a known associate of a payroll administrator.
  • Payroll records where the bank account details have been changed shortly before or after a period of elevated payment activity.
  • Employees whose pay rate, grade, or benefit elections have changed without a corresponding authorisation record in the HR system.
  • Terminated employees who remain active in the payroll system beyond their leaving date, or who appear in the payroll register with a status inconsistent with HR records.
  • Overtime or allowance payments concentrated among a small number of employees or cost centres, particularly where those payments are approved by the same individual consistently.
  • Payroll changes made outside normal processing windows — late at night, at weekends, or during holiday periods when oversight is reduced.
  • Employees whose National Insurance numbers, addresses, or contact details do not correspond to records held elsewhere in the HR system.
  • Discrepancies between the headcount figure in the payroll system and the active employee count maintained by HR.

The last indicator on that list — the headcount reconciliation — is one of the simplest checks available to any organisation, and one of the least frequently performed. Payroll headcount and HR headcount should match. Where they do not, the discrepancy requires explanation. It sounds straightforward. In my experience, organisations that do not perform this check routinely are often genuinely surprised to discover it has never been done.

Investigative Techniques

When we are engaged to investigate a suspected payroll fraud, the approach follows a structured sequence that I have refined over many years of working on these cases. The objective at every stage is to build an evidential picture that is clear, accurate, and defensible — one that will support whatever action the client ultimately decides to take.

Full payroll data extraction and analysis: a systematic review of the payroll register across the relevant period, looking for the indicators described above. This is always the starting point. The data tells you where to focus; interviews and document review follow from what the data surfaces.

HR and payroll system reconciliation: a line-by-line comparison of the payroll register against HR employment records, authorised remuneration schedules, and bank account verification data. Discrepancies between what the payroll system contains and what the HR system authorised are where most payroll fraud becomes visible.

Access log review: modern payroll systems maintain detailed audit trails of who accessed what records, when, and what changes were made. These logs are often the most direct evidence of how a fraud was operated — they record the specific user, the specific change, and the precise timestamp. They cannot be retroactively altered by the person who made the change without leaving a further record.

Bank account verification: cross-referencing payroll bank account details against employee personal records, Companies House data, and electoral roll information to identify accounts connected to employees, their associates, or fictitious identities.

Digital forensics: where a payroll administrator or finance staff member is suspected, a forensic examination of their devices may reveal communications, file activity, or system access that corroborates or extends the findings from the payroll data analysis.

Structured interviews: witnesses are interviewed before the subject, in a sequence designed to build the evidential picture progressively. By the time the primary suspect is interviewed, the specific transactions under scrutiny have been identified and the questions can be precise.

Something that distinguishes payroll fraud investigations from other internal fraud enquiries is the availability of the audit trail. In well-configured payroll systems, every change is logged. The fraudster cannot remove themselves from that record. What I am frequently looking for is not whether a change was made, but whether the person who made it had the authority to do so — and in payroll fraud cases, the answer is usually no.

Strengthening Internal Controls

After investigating a payroll fraud, the conversation about controls is one I have with every client. What they almost always find is not that they had no controls, but that the controls they had were not being applied consistently — or that the person responsible for operating them was the same person committing the fraud. Both of those situations are preventable.

The changes that make the most practical difference are:

  • Enforce strict segregation between the person who adds or amends payroll records and the person who approves those changes. No individual should be able to make a change to the payroll system and process the resulting payment without independent authorisation.
  • Conduct regular reconciliations between payroll headcount and HR headcount. This is a basic control that costs very little to implement and surfaces ghost employee schemes quickly. It should happen every pay period, not annually.
  • Require independent verification of all new bank account details before they become active in the payroll system. A simple confirmation process — a letter to the employee’s registered home address, or a callback to a number held in HR rather than one provided by the payroll function — eliminates the most straightforward salary diversion schemes.
  • Implement automated alerts for payroll changes made outside normal processing windows, or for changes that exceed defined thresholds without a corresponding authorisation record.
  • Conduct periodic independent payroll audits — not reviews carried out by the payroll function itself, but external examinations of the payroll register against authorised remuneration records, HR files, and bank account data.
  • Review and maintain payroll system access rights actively. Former employees and individuals who have changed roles should not retain system access beyond the point at which it is operationally necessary. Access rights that are never reviewed tend to accumulate in ways that create structural vulnerability.
  • Ensure that the payroll function is included in the organisation’s internal fraud risk assessment. It is consistently underweighted relative to procurement and finance in the risk frameworks I review — partly because the sensitivity of payroll data makes people reluctant to subject it to the same scrutiny as other financial functions. That reluctance is itself a vulnerability.

The payroll function is not different in kind from any other area of financial control. The principles — segregation of duties, independent oversight, regular reconciliation, access management — are consistent throughout. What makes payroll distinctive is the combination of sensitivity and trust that surrounds it, and the way that combination can create an environment where the usual controls are applied less rigorously than they should be. That is the environment payroll fraud exploits, and it is the environment that better governance directly addresses.

Concerned about payroll irregularities in your organisation? Find out how our internal fraud investigation services can help.

Related Services

For organisations dealing with broader internal fraud concerns, the following pages may be relevant:

Previous

Contact Us

Freephone: 0800 002 9153

Text: 07537 182 918

Email:
office.ispydetectives@gmail.com



Our offices are open 24/7

Head Office Address
I-SPY Detectives, The Clacton Centre
Kepoch Street, Roath, Cardiff, CF24 3JW

Website Information

Terms and Conditions
GDPR Policy
Image Attribution
Areas We Cover

© 2026 I-Spy Detectives. Created with ❤ using WordPress and Kubio

I-Spy Detectives
Powered by  GDPR Cookie Compliance
Privacy Overview

This website uses cookies so that we can provide you with the best user experience possible. Cookie information is stored in your browser and performs functions such as recognising you when you return to our website and helping our team to understand which sections of the website you find most interesting and useful.