Payroll phishing is getting harder to spot. Here's what HR and payroll teams need to know.

Phishing attacks targeting HR and payroll platforms have become more targeted and more convincing. The threat isn't just the classic credential-stealing email. Attackers are now building fake login pages that look identical to legitimate HCM platforms, then they are paying to place them at the top of Google search results as ads.

The result: an employee searches for their payroll login, clicks the top result, enters their credentials on a fake site, and their next paycheck gets redirected to an account they've never heard of.

According to the FBI's Internet Crime Complaint Center, Business Email Compromise (BEC) attacks — which include payroll diversion fraud — generated $3.046 billion in reported losses in 2025.

The good news is that the countermeasures are straightforward. They key is that they need to be in place before an incident, not after.

Note: This information is for informational purposes only and does not constitute formal tax, legal, or compliance advice. Always consult with qualified tax advisors, legal counsel, and your organization’s internal teams for guidance specific to your situation. Additional regulations may apply. For the most accurate and up-to-date information, refer to official government resources and regulatory agencies.  

Table of Contents:

Here's what we will cover in this practical guide for HR and payroll adminstrators:

• What a payroll phishing attack looks like

• Greenshades account security settings and features

• Your payroll security action plan 

• If an account has already been accessed

• Frequently asked questions

What a payroll phishing attack looks like

Understanding the attack pattern is the fastest way to shut it down. Here's how a typical credential-redirect scam unfolds:

1. An employee searches for their payroll or HR login on Google, or clicks a link in an unsolicited email or text.

2. A fake site, built to look identical to the real login page, captures their username and password the moment they type it.

3. The attacker also captures the employee's two-factor authentication (2FA) code in real time. 2FA adds a layer of protection, but it does not stop a fake site that is designed to harvest the code as it's entered.

4. With valid credentials in hand, the attacker logs into the real platform and changes the employee's direct deposit information before the employee notices anything is wrong.

Common signs of a fake login URL include subtle misspellings, extra characters, or hyphens inserted into the domain name. Examples of fake domains used in past incidents include greenshades-login.com, gr33nshades.com, and greenshadeonline.com. The real Greenshades login is always at greenshadesonline.com.

Account security settings and features to review in your payroll system

Several platform-level security controls, common in all payroll systems, can reduce exposure when configured correctly.

Multi-factor authentication (MFA)

MFA is available and should be enabled for all users. It adds a required second step at login. As noted above, MFA codes can be captured by a well-designed fake site in real time, which is why URL verification is still essential. However, MFA remains an important layer of protection against credential reuse and unrelated attacks.

Account lockout

After a configurable number of failed login attempts, have your system automatically lock an account. The recommended setting is three attempts, with a 30-minute lockout. This limits brute-force attempts and buys time for administrators to respond.

Account email restrictions

This setting controls whether employees can change the email address associated with their account. Enabling restrictions prevents an attacker from redirecting account notifications to an address they control.

Direct deposit access controls

Administrators can set direct deposit to view-only for employees, removing the ability for anyone logged into the employee portal to change banking information without admin approval. This is one of the most effective controls available — if an attacker can't change the deposit destination, the paycheck redirect fails.

How Greenshades supports your security

While Greenshades can't control how users access the platform or what they do with their credentials, our team continuously works to provide robust security features:

• Advanced MFA options
• Anomaly detection and behavioral analysis
• Comprehensive audit logging
• Configurable verification workflows
• Real-time alerts and notifications
• Security monitoring and incident response
• Regular security assessments and updates

We also actively monitor for and report fraudulent websites impersonating Greenshades, working to have them removed as quickly as possible.

Your payroll security action plan 

What admins should configure right now

If you haven't reviewed your account security settings recently, now is the right time. If you use Greenshades, these settings live under Employee Access > Account Security in your Greenshades workspace.

Admin security checklist:

• Account lockout: Lock accounts after failed login attempts — 3 attempts with a 30 minute lockout is a solid baseline.
• Two-factor authentication (2FA): Require for all users.
• Password policy: Establish a strong password policy
  • For example: 12+ characters, one uppercase, one lowercase, one number, one special character, not one of the last 3 passwords, no personal info (DOB, SSN, email).
• Direct deposit access: Restrict employees from changing their own banking information without admin approval. In Greenshades, this lives under Settings > Employee Services > Direct Deposit.

What to share with your employees

Most paycheck redirect scams succeed because employees don't know the attack exists. Sharing a short, clear message with your team is one of the highest-impact steps you can take.

The core message for employees:

• Never search for your payroll or HR login on Google. Fake sites regularly appear as paid ads at the top of search results.
• Bookmark the official login page and use only that bookmark going forward. The correct Greenshades login URL is greenshadesonline.com.
• Check the URL every single time before entering your credentials. If anything looks off — extra characters, hyphens, slight misspellings — close the tab and contact HR or IT.
• Do not click links in unsolicited emails or texts that ask you to log in to your payroll or HR account, even if they look legitimate.
• Periodically verify your direct deposit information is correct. If anything has changed that you didn't initiate, contact HR immediately.

If an account has already been accessed

If you suspect an employee's account has been compromised, act on all of the following steps before waiting for confirmation.

1. Have the employee change their password immediately — on the real site, not from a link in any email.

2. Verify the employee's direct deposit information has not been changed. If it has, flag it immediately — payroll may need to be held or rerouted.

3. Pull a report of all recent direct deposit changes across all accounts. When one account is affected, others may be too.

4. Review and apply the account security settings above if they are not already configured.

5. If you are a Greenshades client, contact Support with the employee's ID, email address, and the date and time of the suspected unauthorized access.

Early action limits exposure. Greenshades Support will engage the appropriate teams on your behalf.

Frequently asked questions

Can two-factor authentication stop a payroll phishing attack?

Not on its own. 2FA is an important layer of protection, but sophisticated fake login pages can capture a 2FA code in real time and use it before it expires. Always verify the URL of the login page before entering any credentials — including your 2FA code. Bookmark the official login page and use only that.

How do fake login pages show up at the top of Google search results?

Attackers use compromised Google Ads accounts to purchase ad placements for targeted search terms like "Greenshades login" or "employee payroll portal." The ads appear above organic results and look like any other paid listing. The safest approach is to never click on search ads to access a login page — always use a bookmark or type the URL directly.

What's the correct URL for the Greenshades employee login?

The correct URL is greenshadesonline.com. Before logging in, verify the address bar shows this exact domain — no hyphens, extra words, or character substitutions. If you are unsure, contact your HR or payroll administrator for the correct bookmarked link.

What should I do if I think I entered my credentials on a fake site?

Contact HR or Payroll immediately and change your password on the real Greenshades site right away. Verify your direct deposit information has not been changed. If you used the same password elsewhere, change it on those accounts too. Do not wait — every minute between the compromise and your response matters.

How often should admins review direct deposit change reports?

At minimum, review direct deposit changes before each payroll run. If your organization has experienced any security incidents or elevated phishing activity, pull the report immediately and look for any changes that employees did not initiate.