University Staff Alert: New Payroll Diversion Scam Steals Employee Paychecks
A sophisticated and targeted cyber attack is actively threatening the financial security of faculty, staff, and administrators at universities across the United States. This scheme, known as a payroll diversion attack, allows cybercriminals to reroute employee paychecks directly into accounts they control, often before the victim even realizes their information has been compromised.
This isn’t a complex network breach but a cleverly executed attack that preys on human trust and exploits common security gaps. Understanding how it works is the first step toward protecting yourself and your institution.
Understanding the Threat: The Anatomy of a Payroll Diversion Attack
The primary goal of these threat actors is simple: gain access to an employee’s self-service payroll portal and change their direct deposit information. The attack unfolds in a few calculated steps:
The Bait: Sophisticated Phishing Emails: The attack begins with a deceptive email sent to a university employee. These emails are designed to look official, often impersonating the HR department, IT support, or a university administrator. They create a sense of urgency, prompting the recipient to click a link to resolve a supposed issue with their benefits, update their password, or view an important document.
Credential Theft: The link in the phishing email leads to a fake login page that perfectly mimics the university’s official portal. When the employee enters their username and password, the attackers capture these credentials in real-time. With this information, they have the keys to the employee’s account.
The Heist: Changing Direct Deposit Details: Once inside the system, the cybercriminals navigate to the payroll or direct deposit section. They swiftly replace the employee’s legitimate bank account information with the details of an anonymous, prepaid debit card or a mule account under their control.
The Payout: When the next payday arrives, the employee’s salary is automatically deposited into the attacker’s account. Because the changes were made within the legitimate university system, they often go unnoticed until the employee realizes their paycheck never arrived. By then, the funds have typically been withdrawn and are long gone.
Why Universities Are a Prime Target
Higher education institutions have become a valuable target for several reasons. They are large, complex organizations with thousands of employees, creating a wide attack surface. Furthermore, the often-decentralized nature of university departments can lead to inconsistent security protocols. Attackers know that by successfully compromising just one set of credentials, they can secure a significant financial payout.
How to Protect Your Paycheck: Essential Security Measures
Both individuals and institutions must take proactive steps to defend against these payroll diversion schemes. Complacency is the attacker’s greatest ally.
For Faculty and Staff:
- Scrutinize All Emails: Be extremely cautious of any unsolicited email asking you to click a link or provide login information, especially those related to payroll or HR. Look for grammatical errors, suspicious sender addresses, and urgent, demanding language.
- Enable Multi-Factor Authentication (MFA): This is the single most effective step you can take. MFA provides a critical layer of security by requiring a second form of verification (like a code from your phone) in addition to your password. Even if attackers steal your password, they won’t be able to log in without your physical device.
- Use Strong, Unique Passwords: Avoid using simple, easy-to-guess passwords or reusing the same password across multiple sites. Consider using a password manager to generate and store complex passwords securely.
- Verify Before You Act: If you receive a suspicious email from a university department, do not click any links. Instead, contact the department directly using a known phone number or by typing their official website address into your browser to confirm the request’s legitimacy.
- Regularly Check Your Settings: Periodically log into your employee portal and confirm that your direct deposit and contact information are correct.
For University IT and Security Teams:
- Mandate MFA Campus-Wide: Enforce the use of multi-factor authentication for all employees across all critical systems, especially email and HR portals.
- Implement User Training: Conduct regular, mandatory security awareness training to educate employees on how to spot and report phishing attempts.
- Strengthen Payroll Change Protocols: Consider implementing a multi-step verification process for any changes to direct deposit information. This could include a mandatory waiting period, an automated notification sent to the employee’s old and new contact information, or a confirmation phone call.
- Monitor for Suspicious Activity: Actively monitor for unusual login patterns, such as logins from unfamiliar locations or multiple failed password attempts, which could indicate a compromised account.
By fostering a culture of security and implementing robust technical safeguards, we can collectively shut the door on these criminals and ensure everyone’s hard-earned salary is protected.
Source: https://go.theregister.com/feed/www.theregister.com/2025/10/10/microsoft_payroll_pirate/
