A new phishing scam has been uncovered by the FBI, one that targets you by pretending to come from your employer. By sending you a phishing email that claims to be from your workplace’s HR department, hackers hope to get their hands on your login credentials to steal your direct deposit paycheck.

It starts with an email that looks genuine, and it redirects you to a website that looks like an official workplace online portal. You enter your login details, confirm your identity, and then you’re all set.

Unfortunately, the portal was actually transmitting your credentials to the hackers, who’ve already breached your company’s website. They use your credentials to log in and change your direct deposit information, which will put future paychecks in their accounts or on prepaid debit cards.

The only way you’ll know your paycheck didn’t end up in your account might be when your account drops below the minimum balance, usually as a result of making purchases or paying your bills. Of course, once that happens, you get to handle the bad check fees and penalties from your bank while the hackers make off with your money.

One of the telltale signs of a phishing email is notoriously poor spelling and grammar, but since this one is posing as your own company’s HR department that might not be the case. Also, this scam is seeking out individuals who have a username and password to log in with. Therefore, it may be targeting a more select group of employees rather than casting a wide net and hoping to snag an everyday consumer.

Fortunately, the ways to avoid this scam are as simple as avoiding any other phishing scam. The downside, though, is that developing these habits requires you to instinctually learn to ignore direct requests, even ones that appear to come from your employer.

1. Never click a link, open an attachment, fill out information, verify your identity, or otherwise engage in any sensitive activity without checking it out thoroughly. It does not matter who the sender is: ignore any request of this kind and make a direct phone call to the supposed agency instead.

2. Verifying information that the sender should already have is an automatic red flag. Why would you need to tell your own employer what your username and password are? They’re the ones who issued them to you!

3. Remember, this same advice pertains to any platform, whether it’s email, text message, social media message, or phone call. Never hand over your information to someone who requests it without checking the situation first.

Contact the Identity Theft Resource Center for toll-free, no-cost assistance at (888) 400-5530. For on-the-go assistance, check out the free ID Theft Help App from ITRC.

Read next: Is Your Bluetooth Tracking You?

Your computer isn’t infected, and you don’t have to pay to clean it out.

Who Is It Targeting: Computer users

What Is It: Phishing scam that masks as tech support

What Are They After: This scam is not new, but the recent resurgence has prompted groups like the Better Business Bureau to issue warnings about it. This scam can come in the form of a phone call, email, text message, or even pop-up box, telling you that your computer is infected with a virus and that you must act now to remove it.

By phone or email, the scammer takes all manner of personal information and even payment. By text or popup box, you’re usually directed to click a link or a button. This either takes you to a form to submit your identifying information and money or even installs a virus on your computer.

How Can You Avoid It:

  • Tech companies do not sit and monitor your computer use for viruses.
  • Anyone who contacts you and says there’s a report of a virus on your computer is lying.
  • Never give your information or your money to anyone who contacts you out of the blue.

If you think you may be a victim of identity theft, contact the Identity Theft Resource Center for toll-free, no-cost assistance at (888) 400-5530. Find more information about current scams and alerts here. For full details of this scam check out this article from