// first 10 minutes

payroll fraud / ghost employee — quick-start

payroll fraud — first 10 minutes. freeze the payout change, export audit before the next cycle. print this, check boxes, then run the primary tools.

checklist

freeze or revert any pending bank account or direct deposit change for the affected employee(s) before the next payroll cycle.
export the payroll platform's bank-change audit log — Workday, ADP, Paychex all retain who made the change and when.
identify who submitted the direct-deposit change request — employee self-service, payroll admin portal, or HR helpdesk ticket.
pull IT helpdesk tickets opened by the affected employee in the 30 days before the change — social engineering often precedes the change.
check for ghost employees: accounts created in HR within 90 days with no corresponding corporate email, badge record, or manager attestation.
pull payroll totals per cost center for the last 4 quarters — ghost employees appear as anomalous headcount without manager attribution.
export all payroll adjustments (one-time payments, off-cycle checks, retroactive adjustments) for the investigation period.
pull IdP sign-in logs for payroll admin accounts — unauthorized access to payroll systems often uses compromised admin credentials.
note whether the change request matched the employee's established communication pattern (same device, same IP range, same request channel).
begin the primary tool path below — payroll audit log analyzer and ghost employee detector.

// first 10 minutes

payroll fraud — first 10 minutes. freeze the payout change, export audit before the next cycle. print this, check boxes, then run the primary tools.

freeze or revert any pending bank account or direct deposit change for the affected employee(s) before the next payroll cycle.
export the payroll platform's bank-change audit log — Workday, ADP, Paychex all retain who made the change and when.
identify who submitted the direct-deposit change request — employee self-service, payroll admin portal, or HR helpdesk ticket.
pull IT helpdesk tickets opened by the affected employee in the 30 days before the change — social engineering often precedes the change.
check for ghost employees: accounts created in HR within 90 days with no corresponding corporate email, badge record, or manager attestation.
pull payroll totals per cost center for the last 4 quarters — ghost employees appear as anomalous headcount without manager attribution.
export all payroll adjustments (one-time payments, off-cycle checks, retroactive adjustments) for the investigation period.
pull IdP sign-in logs for payroll admin accounts — unauthorized access to payroll systems often uses compromised admin credentials.
note whether the change request matched the employee's established communication pattern (same device, same IP range, same request channel).
begin the primary tool path below — payroll audit log analyzer and ghost employee detector.