A new phishing scam has been uncovered by the FBI, one that targets you by pretending to come from your employer. By sending you a phishing email that claims to be from your workplace’s HR department, hackers hope to get their hands on your login credentials to steal your direct deposit paycheck.

It starts with an email that looks genuine, and it redirects you to a website that looks like an official workplace online portal. You enter your login details, confirm your identity, and then you’re all set.

Unfortunately, the portal was actually transmitting your credentials to the hackers, who’ve already breached your company’s website. They use your credentials to log in and change your direct deposit information, which will put future paychecks in their accounts or on prepaid debit cards.

The only way you’ll know your paycheck didn’t end up in your account might be when your account drops below the minimum balance, usually as a result of making purchases or paying your bills. Of course, once that happens, you get to handle the bad check fees and penalties from your bank while the hackers make off with your money.

One of the telltale signs of a phishing email is notoriously poor spelling and grammar, but since this one is posing as your own company’s HR department that might not be the case. Also, this scam is seeking out individuals who have a username and password to log in with. Therefore, it may be targeting a more select group of employees rather than casting a wide net and hoping to snag an everyday consumer.

Fortunately, the ways to avoid this scam are as simple as avoiding any other phishing scam. The downside, though, is that developing these habits requires you to instinctually learn to ignore direct requests, even ones that appear to come from your employer.

1. Never click a link, open an attachment, fill out information, verify your identity, or otherwise engage in any sensitive activity without checking it out thoroughly. It does not matter who the sender is: ignore any request of this kind and make a direct phone call to the supposed agency instead.

2. Verifying information that the sender should already have is an automatic red flag. Why would you need to tell your own employer what your username and password are? They’re the ones who issued them to you!

3. Remember, this same advice pertains to any platform, whether it’s email, text message, social media message, or phone call. Never hand over your information to someone who requests it without checking the situation first.

Contact the Identity Theft Resource Center for toll-free, no-cost assistance at (888) 400-5530. For on-the-go assistance, check out the free ID Theft Help App from ITRC.