Phishing, Identity

Payroll fraud: social engineering and identity theft target employee paychecks

As reported by The Register, a sophisticated social engineering attack, exploiting internal processes and identity theft, has been used to redirect employee paychecks, highlighting a significant new threat vector for businesses.

In December 2025, threat researchers at Binary Defense investigated an incident where an attacker successfully rerouted a physician's salary. The attack began with a help-desk call, where the fraudster, impersonating the physician, exploited a password and multi-factor authentication reset process. The attacker likely obtained compromised credentials from a previous breach, as no phishing evidence was found. Once access was granted, the attacker used the healthcare organization's own virtual desktop infrastructure (VDI) to log into the Workday payroll system. This bypassed security detections as the activity appeared legitimate, originating from a trusted internal source. The attacker then altered the physician's direct deposit information to divert their paycheck.

This incident underscores that "identity is the new perimeter," emphasizing the need to treat personal identities as privileged assets. The attack highlights weaknesses in processes rather than just technology, making detection difficult. Organizations must view payroll and HR platforms as high-value targets and implement stricter controls, such as temporary holding periods for direct deposit changes or multi-factor confirmation, similar to fraud detection models used for wire transfers.

Source: The Register

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms of Use and Privacy Policy.

You can skip this ad in 5 seconds