As reported by The Register, a sophisticated social engineering attack, exploiting internal processes and identity theft, has been used to redirect employee paychecks, highlighting a significant new threat vector for businesses.In December 2025, threat researchers at Binary Defense investigated an incident where an attacker successfully rerouted a physician's salary. The attack began with a help-desk call, where the fraudster, impersonating the physician, exploited a password and multi-factor authentication reset process. The attacker likely obtained compromised credentials from a previous breach, as no phishing evidence was found. Once access was granted, the attacker used the healthcare organization's own virtual desktop infrastructure (VDI) to log into the Workday payroll system. This bypassed security detections as the activity appeared legitimate, originating from a trusted internal source. The attacker then altered the physician's direct deposit information to divert their paycheck.This incident underscores that "identity is the new perimeter," emphasizing the need to treat personal identities as privileged assets. The attack highlights weaknesses in processes rather than just technology, making detection difficult. Organizations must view payroll and HR platforms as high-value targets and implement stricter controls, such as temporary holding periods for direct deposit changes or multi-factor confirmation, similar to fraud detection models used for wire transfers.Source: The Register





