© 2026 I-Spy Detectives

Ghost Employee Fraud Investigations Explained

Ghost employee fraud investigations

Ghost Employee Fraud Investigations Explained

Jamie Styles | June 8, 2026 | 7:12 am

Of all the payroll fraud schemes I investigate, ghost employee fraud has a particular quality that I find clients struggle to process when they first understand what has happened. It[…]

Of all the payroll fraud schemes I investigate, ghost employee fraud has a particular quality that I find clients struggle to process when they first understand what has happened. It is not complicated. It does not require sophisticated technical knowledge or access to obscure systems. What it requires is access to the payroll function, a willingness to exploit that access, and an organisation that has never thought to check whether the people on its payroll actually exist.

That last part is where most organisations find themselves. Not through negligence, exactly, but through a reasonable assumption that turns out to be wrong: that the controls surrounding payroll are sufficient to prevent this kind of fraud, and that the people operating those controls can be trusted without independent verification. In the majority of ghost employee cases I have worked on, both assumptions were misplaced.

This article explains how ghost employee fraud works, what it looks like in practice, and what a professional investigation involves when a concern is raised.

What Is a Ghost Employee?

A ghost employee is an individual on an organisation’s payroll who either does not exist at all or no longer works for the organisation, but whose salary continues to be processed and paid. The payments are directed to a bank account controlled by the perpetrator — typically the person who added the record, maintains it, or processes the associated payments.

The term covers two distinct scenarios. In the first, a fictitious identity is created from scratch: a name, a National Insurance number, a bank account, and a payroll record, none of which correspond to a real employee. In the second, a genuine former employee’s record is retained after their departure, either by failing to remove it from the payroll system or by deliberately suppressing the leaver process, with the continuing salary redirected to an account the perpetrator controls.

Both forms exploit the same structural weakness: a payroll system that can be modified by an individual without independent verification of what they have entered, and a payment process that will continue to pay whatever the system contains until someone instructs it otherwise. The fraud is not technically complex. What sustains it is the absence of scrutiny.

How Ghost Employee Fraud Happens

Ghost employee fraud almost always begins with access. The perpetrator needs to be able to add or maintain records in the payroll system, or to influence the process by which those records are created. In practice, that means payroll administrators, HR managers with payroll system access, finance staff involved in payment processing, and in smaller organisations, directors or owners who oversee payroll directly.

The mechanics vary but follow recognisable patterns. In the most straightforward version, a payroll administrator creates a new employee record using a fictitious name and National Insurance number, assigns a salary within the existing pay structure to avoid triggering anomaly alerts, and directs the payments to a bank account they control — often registered to a family member’s address or a personal account in a different name.

Where the fraud involves a retained leaver rather than a fictitious identity, the perpetrator typically intercepts or suppresses the leaver notification before it reaches the payroll system, or processes a bank account change for the departing employee in the final pay period and leaves the record active. The salary then continues to be paid, to the new account, indefinitely.

In both cases, the fraud is sustained by the absence of any cross-check between the payroll system and an independent record of who is actually employed. If no one ever reconciles the payroll register against the HR system, the access control log, or a physical headcount, the ghost employee simply continues to be paid.

The duration of these schemes can be significant. In my experience, ghost employee fraud that is not detected by a specific trigger — a change of personnel, an audit, a whistleblower — tends to run until something in the operational environment changes. I have investigated cases that ran for three, four, and in one instance more than six years before the fraud came to light.

Warning Signs of Ghost Employee Fraud

None of the following indicators is conclusive on its own. What matters, as with most fraud indicators, is pattern and context. These are the signals I look for when a concern has been raised, or when conducting a proactive payroll review:

  • Payroll records with no corresponding file in the HR system, or where the HR record is incomplete, inconsistent, or cannot be matched to an employment contract.
  • Employees whose bank account details share an address, sort code, or surname with a payroll administrator or HR manager.
  • New employee records added during periods of low oversight — holiday periods, management transitions, or immediately following a system upgrade or migration.
  • Payroll entries where the bank account details were changed shortly before or after the relevant employee’s departure date, or where a leaver record was created and then reversed without documented authorisation.
  • Employees with generic or difficult-to-verify contact details — email addresses that do not follow the organisation’s naming convention, phone numbers that are uncontactable, or residential addresses that return no result on standard verification.
  • A discrepancy between the headcount figure in the payroll system and the active employee count maintained by HR or operations.
  • Payroll records where the National Insurance number does not correspond to the name or date of birth on the record, or where the same NI number appears against more than one employee.
  • Salary payments to employees who have no associated line manager, cost centre, or operational function that can be verified against business records.

The headcount reconciliation — comparing the number of people in the payroll system against the number of people physically employed — is the most basic check available and the one I most consistently find has never been performed. It takes very little time. It surfaces ghost employees almost immediately. The fact that it is so rarely done is itself an indicator of how thoroughly the payroll function can operate in isolation from the rest of the business.

Investigation Process

When we are engaged to investigate a suspected ghost employee scheme, the starting point is always the data. Before any interviews take place and before anyone with potential involvement is made aware that a concern exists, I want to understand the full scope of what the payroll system contains and how it compares to what it should contain.

Payroll and HR Reconciliation

The first substantive step is a line-by-line reconciliation of the payroll register against HR employment records. Every active payroll entry needs to be matched to a verified employment record: a contract, a start date, a manager, a physical presence within the business. Records that cannot be matched, or where the match is incomplete or inconsistent, are flagged for further examination.

This exercise frequently produces results quickly. Ghost employees created without a corresponding HR record, or where the HR record is thin or generic, tend to surface at this stage. What the reconciliation gives us is a defined list of unexplained entries — not conclusions, but the specific records that require explanation.

Bank Account Analysis

Each flagged payroll record is then subjected to bank account verification: cross-referencing the payment destination against employee personal data, Companies House records, the electoral roll, and any other relevant data sources. Accounts registered to addresses connected to payroll or HR staff, to family members of those staff, or to entities with no verifiable independent existence are a significant indicator.

In cases involving a retained leaver, this stage often reveals that the bank account details were changed in the final period before the departure date was processed — a change made by a specific user at a specific time, visible in the audit log, and not consistent with what a normal leaver process would produce.

Audit Log and Access Review

Modern payroll systems log every change: who made it, when, from which device or login, and what the previous value was. This audit trail is one of the most reliable evidence sources in any payroll fraud investigation, because it cannot be retroactively altered by the person who made the change without leaving a further record of the alteration.

The access log review establishes which user account was responsible for creating and maintaining each flagged record, whether those actions were taken within normal working hours and processing windows, and whether the changes were followed by any authorisation step or simply processed without secondary approval. In the majority of ghost employee cases I have investigated, the audit log is where the most direct evidence of the fraud sits.

Interviews

Interviews follow the evidence. By the time I sit down with the individual under investigation, I know which records they created, when, what bank account details they entered, and what the audit trail shows about how those records were maintained. The interview is not a fishing exercise. It is a structured conversation about specific transactions, conducted in the context of a complete evidential picture.

Supporting witnesses — colleagues in the payroll function, HR staff who should have been involved in onboarding, line managers whose names appear against ghost records — are interviewed before the subject, in a sequence designed to close off the avenues of explanation before the primary account is given.

A Case in Practice

Several years ago we were instructed by the audit committee of a mid-sized facilities management business following concerns raised by an incoming payroll manager during a routine system handover. The outgoing manager had left the business at short notice, and their successor had identified several employee records they could not match to any operational function within the business.

Our initial reconciliation identified five payroll records with no corresponding HR file, no verifiable manager, and no presence in any operational headcount or site allocation record. All five had been created within an eight-month window, approximately two years before the outgoing manager’s departure. Each was salaried at a level consistent with a mid-grade operative — unremarkable individually, but collectively generating just over £97,000 per year in fraudulent payments.

Bank account analysis established that three of the five accounts were registered to addresses directly associated with the outgoing manager’s family members. The remaining two used addresses that, on further investigation, corresponded to properties the manager had previously lived at. The audit log confirmed that all five records had been created by the same user account, during working hours, across a series of individually unremarkable payroll processing sessions.

The total loss over the period the scheme had operated was approximately £223,000. The findings report supported a civil recovery claim, which was settled. A referral was also made to the relevant authorities. The organisation subsequently implemented a series of control changes, including mandatory dual authorisation for all new payroll records and a quarterly reconciliation process between payroll and HR headcount.

What the case illustrated, as clearly as any I have worked on, is that the fraud was not sophisticated. It was sustained entirely by the assumption that someone in the payroll function would not abuse their access — and by the absence of any check that would have tested that assumption. The incoming payroll manager found the problem in her first week. It had been running for two years.

Prevention Strategies

Ghost employee fraud is among the most preventable forms of internal fraud, because the controls required to stop it are straightforward and do not depend on complex technology or significant resource. The reason it persists is not that the controls are difficult to implement. It is that they are frequently not implemented at all.

The measures I consistently recommend are:

  • Require independent dual authorisation for all new payroll records. The person who creates a new employee entry should not be the same person who approves it for payment. This single control eliminates the most direct form of ghost employee fraud.
  • Conduct a payroll-to-HR reconciliation every pay period, not annually. The number of active records in the payroll system should match the number of active employees in the HR system. Any discrepancy should be investigated before the next payroll run is processed.
  • Implement a formal leaver process that includes automatic payroll notification and a mandatory sign-off before a departing employee’s record is marked inactive. The payroll system should be updated on or before the employee’s last working day, not retrospectively.
  • Verify bank account details independently for all new employees and for any account change requests. A confirmation letter to the employee’s home address on record, or a callback to a number held in HR, should be standard practice before any new payment destination is activated.
  • Review payroll system access rights regularly and remove them promptly when an individual changes role or leaves. Former employees and those who no longer have operational need for payroll access should not retain it.
  • Include the payroll function in the organisation’s regular internal audit programme. The sensitivity of payroll data is sometimes used to justify exempting it from audit scrutiny. That logic is the wrong way round: sensitivity is a reason for more oversight, not less.
  • Provide a confidential reporting channel and ensure that payroll staff, finance colleagues, and operational managers understand they can raise concerns without risk of retaliation. In my experience, the people most likely to notice something wrong in a payroll function are those who work alongside it.

The common thread in all of these measures is independence: ensuring that no single individual has unchecked authority over the full cycle from creating a payroll record to authorising and processing the associated payment. Ghost employee fraud, in every case I have investigated, has operated in the space where that independence was absent. Restoring it is the most direct form of prevention available.

Concerned about payroll irregularities or ghost employee fraud? Request a confidential fraud investigation consultation.

Related Services

For organisations dealing with broader payroll or internal fraud concerns, the following pages may be relevant:

Previous
Next

Contact Us

Freephone: 0800 002 9153

Text: 07537 182 918

Email:
office.ispydetectives@gmail.com



Our offices are open 24/7

Head Office Address
I-SPY Detectives, The Clacton Centre
Kepoch Street, Roath, Cardiff, CF24 3JW

Website Information

Terms and Conditions
GDPR Policy
Image Attribution
Areas We Cover

© 2026 I-Spy Detectives. Created with ❤ using WordPress and Kubio

I-Spy Detectives
Powered by  GDPR Cookie Compliance
Privacy Overview

This website uses cookies so that we can provide you with the best user experience possible. Cookie information is stored in your browser and performs functions such as recognising you when you return to our website and helping our team to understand which sections of the website you find most interesting and useful.