- Attackers use help desk staff to gain unauthorized access to the payroll system.
- Social engineering allows hackers to divert employee salaries without triggering alerts
- Targeting individual paychecks keeps attacks under the radar of law enforcement and corporations.
Payroll systems are increasingly being targeted by cybercriminals, especially during periods when bonuses and year-end payments are expected.
Okta Threat Analysis reports that attackers are focusing less on hacking infrastructure and more on exploiting human processes related to accessing payroll.
Instead of deploying ransomware or mass phishing campaigns, these actors seek to quietly divert individuals' salaries by manipulating account recovery workflows.
Help Desk Becomes a Weak Link
Tracking the campaign, known as O-UNC-034, Okta said attackers are directly calling corporate help desks.
Posing as legitimate employees, they request password resets or account changes, relying on social engineering rather than technical means.
These calls have affected organizations in education, manufacturing and retail, indicating that no one industry is the focus.
Once access is granted, attackers attempt to register their own authentication methods to maintain control of the compromised account.
Once attackers have taken over an employee's account, they quickly move to payroll platforms such as Workday, Dayforce HCM, and ADP.
They change bank details so upcoming payments are diverted elsewhere, often without immediate detection.
Because theft targets individual paychecks, the financial loss may seem insignificant when viewed in isolation.
This reduces the likelihood of the situation quickly escalating or attracting law enforcement attention.
At scale, this approach can generate large profits and enable identity theft without setting off the alarms associated with larger breaches.
Threat analysts suggest that individual paycheck thefts are less noticeable than large data breaches or extortion campaigns.
Attackers can further refine their targets through basic intelligence, focusing on highly paid employees or employees facing severance pay.
Previously, campaigns relied on malvertising and credential phishing, but the move to live phone conversations reflects tactics that bypass technical protections entirely.
Antivirus tools do not provide sufficient protection when attackers voluntarily obtain credentials during a persuasive conversation.
Likewise, malware removal tools, while applicable to other threats, are not designed to combat this category of attacks.
The security guidance emphasizes strict identity verification procedures for support staff processing account recovery requests.
First-line support staff are advised not to directly change authentication factors, but instead issue temporary access codes only after successful identity verification.
Organizations are also encouraged to limit access to sensitive applications to managed devices and to more carefully review requests originating from unusual locations or networks.
“It’s interesting to see payroll scammers joining the growing number of attack groups targeting helpdesk professionals to gain access to user accounts,” says Brett Winterford, vice president of threat intelligence at Okta.
“This situation highlights the importance of providing IT support staff with the tools necessary to verify the identity of incoming calls, as well as providing them with account recovery capabilities that limit the ability of an attacker to take over an account.”
Follow TechRadar on Google News. And add us as your preferred source to get our expert news, reviews and opinions in your feeds. Be sure to click the “Subscribe” button!
And of course you can also Follow TechRadar on TikTok for news, reviews, unboxing videos and get regular updates from us on whatsapp too much.
