Cybercriminals are exploiting help desk processes to steal employee identities and redirect paychecks, bypassing traditional security measures through social engineering attacks.
)
The New Frontier of Payroll Theft
When most people think of payroll fraud, they imagine sophisticated hacking operations targeting financial systems. But a disturbing new trend shows that criminals are taking a much simpler approach: conning help desk employees to steal identities and redirect paychecks.
According to Binary Defense security researcher John Dwyer, "every employee on earth becomes a target" when fraudsters go after paychecks. The attack method is deceptively simple yet devastatingly effective.
How the Attack Works
The incident investigated by Binary Defense's ARC Labs in December 2025 demonstrates the vulnerability of current security processes. The attack began when criminals obtained compromised credentials for a shared mailbox at a healthcare facility. While the exact method of obtaining these credentials remains unclear, Dwyer noted there was no evidence of phishing, suggesting the credentials came from an earlier breach.
With access to the shared mailbox, attackers could research employee information and determine whose identity to impersonate. They then called the help desk, claiming to be a physician locked out of their account who needed immediate access to treat patients. The combination of urgency and verified identity details proved convincing enough for the help desk to reset the password and multi-factor authentication token.
The Payroll Hijacking
Once inside the account, the attacker took an unexpected approach. Rather than following traditional business email compromise patterns, they authenticated through the healthcare organization's own virtual desktop infrastructure (VDI). This allowed them to register new authentication devices and log into the Workday payroll system without triggering security alerts.
The attacker then changed the physician's banking and direct deposit details, redirecting their paycheck to an attacker-controlled account. The use of the organization's own VDI infrastructure made the attack particularly difficult to detect, as it appeared to be legitimate internal user activity from a trusted endpoint with an internal IP address.
Why This Attack Is So Dangerous
"Identity is the new perimeter," Dwyer explained, highlighting why these attacks are so difficult to defend against. The attack exploited process weaknesses rather than technical vulnerabilities, making it nearly invisible to traditional security tools.
The organization only discovered the compromise when the physician inquired about their missing paycheck. By that time, the damage was done and the funds were likely unrecoverable.
The Broader Threat Landscape
This incident is part of a growing trend targeting payroll and HR platforms. Microsoft has documented similar attacks against university employees, where digital thieves compromised accounts to access HR platforms like Workday and divert direct-deposit paychecks. These attacks typically involve phishing emails, stolen MFA codes through adversary-in-the-middle attacks, and hijacking of employee profiles.
However, the healthcare incident demonstrates that attackers are evolving their tactics. By avoiding email entirely and leveraging trusted internal infrastructure, they can bypass many security controls designed to detect suspicious activity.
What Organizations Must Do
Dwyer emphasizes that organizations need to treat payroll information as a high-value target requiring special protection. This includes:
- Treating payroll changes as high-risk financial events that require additional verification
- Implementing temporary holding periods for direct deposit changes while they undergo fraud detection review
- Using multiple verification mechanisms for any changes to banking or payment information
- Monitoring payroll platforms as telemetry streams for threat detection
"The good news is we already have a model around this – lessons learned from wire fraud and pay and accounts payable fraud applies here," Dwyer noted. The challenge is implementing these processes consistently across organizations.
The Human Element
This attack underscores the critical importance of help desk security training. Employees who handle password resets and account recovery requests are essentially gatekeepers to the organization's most sensitive systems. Without proper training on social engineering tactics and verification procedures, they can inadvertently become the weakest link in the security chain.
Organizations should implement strict verification protocols for any account recovery or password reset requests, especially for high-privilege accounts. This might include callback verification, multiple forms of identification, or requiring in-person verification for sensitive changes.
Looking Ahead
The healthcare incident represents a significant evolution in payroll fraud tactics. By combining social engineering with technical exploitation of trusted infrastructure, attackers can bypass many traditional security controls. As more organizations move to cloud-based payroll and HR systems, the attack surface for these types of crimes will only grow.
Business leaders need to recognize that direct deposit systems represent a legitimate and growing threat vector. The cost of implementing stronger controls and verification processes is far less than the potential losses from payroll fraud, not to mention the damage to employee trust and organizational reputation.
As Dwyer warns, "If I was a business leader, I would want to get ahead of this, because I wouldn't want to get into some sort of arbitration with an employee over a lost paycheck." In an era where identity has become the new security perimeter, organizations must treat their employees' identities as privileged assets worthy of the highest level of protection.
Comments
Please log in or register to join the discussion