Cybercriminals are actively targeting corporate payroll systems to commit financial fraud. The primary objective of these attacks is to reroute employee salary payments into bank accounts controlled by the attackers. This form of attack, known as payroll diversion, relies on gaining unauthorized access to employee self-service portals or human resources administration systems.

Reports from various security incidents confirm that these operations are not isolated, affecting organizations across multiple sectors. The financial impact is immediate, with employees discovering their paychecks have been stolen only after the scheduled payday has passed. This leads to significant distress for the individual and complex remediation processes for the employer.

Attack Methodology: Credential Compromise

The most common vector for these attacks is the compromise of employee login credentials. Attackers employ two primary techniques to achieve this. The first is phishing, where fraudulent emails, impersonating the company’s HR department or payroll provider, trick employees into entering their usernames and passwords on a malicious website. The second technique is credential stuffing, where attackers use lists of usernames and passwords leaked from previous, unrelated data breaches to systematically attempt logins on the company’s payroll portal. This method is effective against employees who reuse the same password across multiple online services.

The Fraudulent Transaction: Rerouting Payments

Once an attacker gains access to an employee’s account, the process is straightforward. They navigate to the direct deposit settings section of the payroll portal. The existing, legitimate bank account and routing numbers are then replaced with details for a new account, typically a prepaid card account, under the attacker’s control. The change is often made just before a payroll processing deadline to minimize the chances of detection by the employee or HR personnel. The subsequent payroll run then sends the employee’s full salary directly to the fraudulent account.

Source: https://www.schneier.com/blog/archives/2025/11/cybercriminals-targeting-payroll-sites.html