Resources · Guide

Does Gusto Verify Contractor Bank Account Changes? (2026)

Gusto verifies that a contractor’s bank account is real and reachable — through instant Plaid verification or small test transactions — but it does not verify that the request to change the account actually came from your contractor. Gusto’s model pushes bank edits to the contractor’s own self-service profile, protected by the contractor’s login and two-step verification. That protects against one attack path (someone emailing you fake details) while leaving two others open: a contractor whose Gusto login has been phished, and the admin-side edit you make yourself when a contractor asks you to “just update it for me.”

If your bookkeeping firm runs client payroll and contractor payments through Gusto, the verification step that matters — confirming the change request with the contractor on a known number, and documenting that you did — still belongs to you.

How contractor bank details actually change in Gusto

Gusto is unusual among the platforms we’ve covered in this series because it’s a payroll rail, not an AP bill-pay rail. That changes the mechanics of a bank-detail change in three specific ways.

Contractors self-manage their payment details. A US contractor signs in to their own Gusto profile and edits their payment method under My Profile → Pay. They can add up to five bank accounts and split pay between them. Gusto applies a two-step verification prompt on these edits, and in some flows asks the contractor to confirm details of the old account before accepting a new one. Per Gusto’s own help center, the recommended path is that contractors make these edits themselves rather than an admin doing it for them.

New accounts are verified for validity, not provenance. A new bank account gets verified one of two ways: instant bank verification through Plaid (the contractor logs into their bank through Plaid’s connector, and the account is usable immediately), or manual verification with test transactions that take 2–3 business days to clear and must be typed back in. Both methods answer the question “is this a real, accessible account?” Neither answers “did the real contractor initiate this change?” A fraudster who controls a contractor’s Gusto login — or their bank credentials — passes both checks cleanly.

Admins can still make changes on a contractor’s behalf. Gusto recommends contractor self-service, but firm admins running client payroll can change a contractor’s payment method themselves. This is the path fraudsters actually target at bookkeeping firms: the “I switched banks, here’s my new account” email doesn’t need to beat Gusto’s contractor 2FA at all — it just needs to convince you to type the new details in as admin.

The attack pattern Gusto’s checks don’t cover

The FBI has been warning about payroll diversion for years, and the pattern is specific. Per the FBI’s Internet Crime Complaint Center, attackers phish an employee’s or contractor’s payroll credentials, sign in to the self-service portal, change the direct-deposit details, and — in the documented pattern — add inbox rules that suppress the “your bank details were changed” alerts so the victim doesn’t see them. The payout lands on the fraudster’s account (often a prepaid card) on the next pay run.

The dollars behind this keep growing. The FBI’s 2025 IC3 Annual Report puts business email compromise losses at $3.046 billion for the year, up from $2.77 billion in 2024 — the #2 crime type by total losses. Payee-redirect schemes — payroll diversion on the payroll rail, vendor bank-change schemes on the AP rail — are the same con on different rails: get the payer to send legitimate money to an attacker-controlled account by changing stored payment details.

For a firm running contractor payments, 1099 contractors are the softest version of this target. They churn more than employees, they’re onboarded fast, their email addresses are personal (Gmail, not a corporate domain you can sanity-check), and a “new bank” message from a contractor mid-project reads as completely routine.

Where this bites a bookkeeping firm on Gusto

Picture the normal case. Your firm administers Gusto for eleven clients. A landscaping client’s subcontractor emails your AP inbox: “Switched to a credit union, can you update my deposit info before Friday’s run? Routing and account below.” Three things about Gusto make this moment riskier than it looks.

First, the path of least resistance is the admin edit. The correct response is to tell the contractor to update their own profile — that forces the change through their login and 2FA. But contractors lose logins, forget passwords, and ask you to do it. The moment you type details from an email into Gusto as admin, every verification layer Gusto built is out of the loop.

Second, even the self-service path only proves control of the login. If the contractor’s reused password was in a breach dump, the “contractor” updating their own profile may not be your contractor. Plaid verification then confirms the fraudster’s account works — which it does.

Third, nothing in either path produces a record that you confirmed the change with the contractor. If a payment goes to the wrong account, the questions that follow — from the client, from their bank’s ACH dispute process, from a cyber insurer if a claim is filed — are about what your firm did to verify, and what evidence exists that you did it. “Gusto sent test deposits” answers neither.

The control: a callback on the contractor rail

The control auditors and insurers keep pointing to is the same one we’ve documented across every platform in this series — the independent-contact rule. On the contractor rail it looks like this:

Call the contractor on a number you already had — from the W-9 intake, the signed agreement, or your onboarding file. Not the number in the email signature requesting the change, and not a number the “contractor” texts you from that day. Confirm they made the request and read the last four digits of the new account back to them. Then record who called, who answered, what number was used, where that number came from, and what was confirmed — before the next pay run, not after. The full mechanics are in our guide to how to verify a vendor bank account change.

If the request arrived by email, treat it with the same skepticism as any vendor email announcing new bank details: the message is a claim, not a verification.

And direct contractors to make the edit through their own Gusto login rather than doing it as admin — that keeps Gusto’s 2FA and old-account confirmation in the loop on top of your callback, not instead of it.

What CallbackProof adds on top of Gusto

CallbackProof doesn’t process payments and doesn’t connect to Gusto. It does one job: it turns “we called them back” into an enforced checklist and a tamper-evident record. Each verification is logged with the caller, the number used, the source of that number, and the outcome, in a SHA-256 hash-chained audit log that covers every client in one place — the landscaping client’s subcontractor and the law firm’s process server alike. When a client, an auditor, or an insurer asks how a contractor bank change was verified before the money moved, the answer is a record, not a recollection. The free verification template is the paper version of that checklist if you want to start there.

Frequently asked questions

Does Gusto verify a contractor’s new bank account?

It verifies the account is real and accessible — via Plaid instant verification or test transactions the contractor confirms. It does not verify that the change request came from the genuine contractor, which is the step payee-redirect schemes exploit.

Can an admin change a contractor’s bank details in Gusto?

Yes. Gusto recommends contractors edit their own payment details through their profile, but firm admins can make the change on a contractor’s behalf — which bypasses the contractor’s login and two-step verification entirely. Any admin-side change should be preceded by a documented callback to the contractor on a known number.

Does Gusto notify anyone when bank details change?

Gusto’s platform generates account-change notifications to the account holder, but the FBI’s documented payroll-diversion pattern includes attackers suppressing those alerts with inbox rules. A notification the victim never sees is not a control your firm can rely on.

Is Plaid verification enough to trust a bank change?

Plaid confirms the person making the change can log in to the destination bank account. If a fraudster controls the contractor’s Gusto login and their own bank account, Plaid verifies successfully. It’s an account-validity check, not an identity or intent check — pair it with an independent callback.

Next: the procedure your team can adopt — the free vendor bank-change verification template →