Skip to main content

3 February 2026

Payroll phishing: why last-minute security checks are no longer enough

Recently, a politician made the news as a victim of phishing after failing to receive their salary. One possible explanation is that an email, which appeared completely legitimate, asked for the salary to be transferred to a new bank account. In reality, that email came from fraudsters. The result: the salary was not paid to the right person.

Far from an isolated phishing case

Phishing is on the rise, as Safeonweb’s numbers for 2025 confim: they received nearly 10 million alerts(opens in a new window) from vigilant Belgians about suspicious messages.

We’re also seeing that rising trend at Isabel. Thanks to close collaboration with banks, corporates and partners, combined with our high-volume payment processing, we have a front-row seat to emerging fraud patterns.

The above example of phishing appears more and more, and usually follows a familiar scenario:

Since October 2025, an additional check has been added to that final step: during payment signing, the Verification of the Beneficiary’s name (VoP) checks whether the provided name matches the IBAN account number.

Why that verification doesn't always guarantee protection

In such a case, the VoP check will return a “no match”. The verification works as designed and flags a potential issue. In practice, however, a social secretariat cannot simply block thousands of salary payments because of a small number of mismatches. From an operational perspective, that’s just not feasible.

On top of that, fraudsters are evolving fast. With AI and deepfake technology, phishing emails are now perfectly written, on-brand and convincing. The old red flags, such as spelling mistakes and odd phrasing disappear.

Another challenge is that many companies don’t sufficiently protect their email domain against misuse. This makes it easier for criminals to send emails that appear to come from a trusted, legitimate domain.

Domain spoofing is a common fraud technique where attackers send emails that look as if they originate from an organisation’s official email address. For HR teams, this makes is particularly difficult to distinguish genuine messages from fake ones. The Belgium DMARC Report 2025 shows that approximately 75% of companies in Belgium lack active protection on their domain. Yet, the technical setup is relatively straightforward today.

Remy Knecht

Head of Anti-Fraud Services, Isabel

Even if companies work with an HR platform on which employees change their own account number, risks remain. An employee can be tricked into sharing login details, allowing fraudsters to change the bank account number anyway.

Checks at the end of the payment process are not sufficient

The VoP check is now a standard part of payment flows and available in platforms like Isabel 6. But if that check only happens at the very last moment – when signing the payment – it can create friction.

As the earlier example shows, friction can even lead to fraudulent payments slipping through. It’s therefore important to minimise that friction as much as possible. By applying the VoP check earlier in the payment process, the verification happens at the companies themselves, rather than at the social secretariat.

Running anti-fraud checks earlier in the payment process removes the last-minute burden of resolving mismatches and encourages action, making payment execution smoother and more secure.

Remy Knecht

Head of Anti-Fraud Services, Isabel

By implementing our Beneficiary Screening service, HR and payroll systems can perform such security checks automatically, before the data reaches the social secretariat. Discrepancies are detected immediately and can be resolved much quicker.

👉 Interested in joining our Beneficiary Screening pilot?
Let’s explore together how to bring anti-fraud checks into HR and payroll systems. Contact us

Get in touch

Our team is ready to answer your questions and guide you forward.  

Contact us