- Attackers exploit help desk personnel to gain unauthorized payroll system access
- Social engineering lets hackers redirect employee salaries without triggering alerts
- Targeting individual paychecks keeps attacks under law enforcement and corporate radar
Payroll systems are increasingly targeted by cybercriminals, particularly during periods when bonuses and end-of-year payments are expected.
Okta Threat Intelligence reports that attackers focus less on breaking into infrastructure and more on exploiting human processes surrounding payroll access.
Rather than deploying ransomware or mass phishing campaigns, these actors aim to quietly divert individual salaries by manipulating account recovery workflows.
Help desks emerge as the weak link
Tracking a campaign known as O-UNC-034, Okta reported that attackers are calling corporate help desks directly.
Posing as legitimate employees, they request password resets or account changes, relying on social engineering rather than technical exploits.
These calls have affected organizations across the education, manufacturing, and retail sectors, indicating that no single industry is the focus.
Once access is granted, attackers attempt to register their own authentication methods to maintain control over the compromised account.
After taking over an employee account, attackers move quickly to payroll platforms such as Workday, Dayforce HCM, and ADP.
They alter banking details so upcoming payments are redirected elsewhere, often without immediate detection.
Because the theft targets individual paychecks, the financial losses can appear minor when viewed in isolation.
This reduces the likelihood of rapid escalation or law enforcement attention.
At scale, this approach can yield large returns and enable identity theft without triggering alarms tied to larger breaches.
Threat analysts suggest that stealing individual salaries is less conspicuous than large data breaches or extortion campaigns.
Attackers can further refine targets through basic reconnaissance, focusing on higher earners or employees scheduled for severance payouts.
Earlier campaigns relied on malvertising and credential phishing, but the shift toward live phone interactions reflects tactics that bypass technical defenses entirely.
Antivirus tools offer little protection when attackers obtain credentials voluntarily during a convincing conversation.
Similarly, malware removal tools, although relevant for other threats, do not address this category of attack.
Security guidance emphasizes strict identity verification procedures for support staff handling account recovery requests.
First-line help desk personnel are advised against modifying authentication factors directly, instead issuing temporary access codes only after successful identity checks.
Organizations are also encouraged to limit access to sensitive applications to managed devices and apply higher scrutiny to requests originating from unusual locations or networks.
“It’s interesting to see payroll fraud actors joining the swelling number of threat actor groups targeting help desk professionals for access to user accounts,” says Brett Winterford, Vice President of Threat Intelligence at Okta.
“This situation underscores the importance of giving IT support personnel the tools they need to verify the identities of inbound callers, and to give them account recovery options that limit the ability of a rogue caller to take over an account.”
Follow TechRadar on Google News and add us as a preferred source to get our expert news, reviews, and opinion in your feeds. Make sure to click the Follow button!
And of course you can also follow TechRadar on TikTok for news, reviews, unboxings in video form, and get regular updates from us on WhatsApp too.
https://cdn.mos.cms.futurecdn.net/LhNACGrTUu5JktTkUNAXMg-1280-80.jpg
Source link
