Payroll Watchdog

Abnormal AI

Editor's Pick

Stops the 'update my direct deposit' email before payroll ever sees it

8.1/10
Editorial
score
VERIFIED JUN 18, 2026
Visit Abnormal AI

Visiting through this link may earn us a commission if you sign up, at no extra cost to you. It doesn't change our review, our lowest editorial scores go to vendors who pay us the most for placement just as often as ones who pay us nothing.

Abnormal AI (formerly Abnormal Security) is an email security platform, and it's included here because payroll diversion fraud, someone impersonating an employee or an executive by email and asking HR or payroll to change direct deposit details, is genuinely one of the most common ways small and mid-size businesses actually lose money to 'payroll fraud' in practice. It's not exotic, it's a convincing email and a rushed approval.

Abnormal doesn't rely on the traditional approach of scanning for malicious links or attachments, because these attacks usually don't have any, they're just well-written social engineering. Instead it models normal communication behavior for your organization and flags anomalies: a request coming from a personal email address, a lookalike domain, unusual urgency or tone, a banking-detail change request that doesn't match how that person normally communicates.

This is a security tool, not an HR or finance tool, so it needs to be evaluated and bought by whoever owns your email security stack, and it doesn't touch payroll data directly. It stops the fraudulent request from landing convincingly in the first place, which is a different (and arguably more important) layer than anything that audits payroll after the fact.

If you've never had a payroll diversion attempt, it's probably because nobody's tried hard enough yet. This is the layer that stops the most common real-world version of this fraud.

Pricing

No public pricing. Sold as enterprise email security, typically priced per mailbox/user and quoted directly. Budget for a demo and sales conversation.

Features

  • Behavioral modeling of normal internal and vendor email communication
  • Detection of payroll diversion and direct-deposit-change social engineering
  • Lookalike domain and compromised-account detection
  • Vendor email compromise (VEC) detection for fraudulent invoice requests
  • No dependency on malicious links/attachments to trigger detection
  • Integrates with Microsoft 365 and Google Workspace
Pros
  • Targets the single most common real-world payroll fraud vector for SMBs: social engineering by email
  • Behavioral detection catches attacks with no malicious payload, which slip past traditional email security
  • Sits upstream of payroll, stopping the fraudulent request before it's ever acted on
Cons
  • This is an email security purchase, not a payroll or HR tool, different budget owner and evaluation process
  • No visibility into payroll data itself, it only stops the request from being convincing
  • Enterprise pricing and sales process, no public numbers to compare against
Best for

Any business that processes direct-deposit change requests by email or Slack and wants to stop social-engineering-driven payroll diversion before it happens.

Not for

Teams looking for a tool that audits payroll records themselves, this doesn't touch that layer.

Screenshots

Flagged email showing a spoofed executive request to change direct deposit details

Supported countries

United StatesCanadaUnited KingdomAustralia

Cloud email security works anywhere Microsoft 365 or Google Workspace is used, not limited to the countries listed above.

Integrations

Microsoft 365Google WorkspaceSlackSIEM/SOAR platforms

Abnormal AI alternatives

Tools worth comparing before you commit.