Payroll pirates are conning help desks to steal workers' identities and redirect paychecks
Attackers using social engineering to exploit business processes, rather than tunnelling in via tech
EXCLUSIVE When fraudsters go after people's paychecks, "every employee on earth becomes a target," according to Binary Defense security sleuth John Dwyer.
In December 2025, managed detection and response outfit Binary Defense's threat research group ARC Labs investigated a security incident in which a thief redirected a physician's salary into their own account using a very simple attack that started with a help-desk call.
"This was a combination of exploiting people and processes rather than technology," Dwyer, the deputy CTO and head of Arc Labs, told The Register in an exclusive interview. "It's technology-adjacent. This was identity theft from pure-play social engineering into exploiting a weaker-than-advised process internally to gain access."
REG AD
In a report shared exclusively with The Register, Dwyer and co-authors Danny Dubree and Eric Gonzalez detailed how the attacker used compromised credentials belonging to a shared mailbox at a healthcare facility. Binary Defenses’ incident responders can't say for certain how the attacker obtained the credentials. Dwyer said his team found no evidence of phishing and assumes the miscreant obtained the email login info from an earlier breach.
REG AD
Once the attackers gained access to the mailbox, they snooped around and determined whose identity to assume when calling the help desk to request a password and multi-factor authentication (MFA) reset.
In this case, the attacker pretended to be a physician locked out of their account and thus unable to treat patients.
"The call basically went that this person can't log into their account, they have patients they need to see right now, they need to get immediate access," Dwyer said. The fake physician's name and access-level checked out, so the help desk employee reset the password and MFA token. This gave the attacker access to the account, which enabled the rest of the payroll scam to play out.
It's technology-adjacent. This was identity theft from pure-play social engineering into exploiting a weaker-than-advised process internally to gain access
"And this is where things get very, very interesting," Dwyer said. "Over the last year where we've seen these sort of incidents, it has followed traditional business email compromise attack flows."
In one such attack targeting university employees and documented by Microsoft, the digital thieves compromised employee accounts to gain access to HR platforms like Workday and then diverted employees' direct-deposit paychecks. The attackers gained initial access through phishing emails, stole MFA codes via an adversary-in-the-middle phishing link, and then accessed the victims' Microsoft Exchange Online inboxes before hijacking their Workday profiles and sending paychecks to attacker-controlled accounts.
'Identity is the new perimeter'
"Everything happens through that access, through that mailbox in that Microsoft account," Dwyer said, adding that the attack targeting the physician looked different. After "recovering" the medico’s identity from the help desk social engineering call, the attacker authenticated from the healthcare organization's own virtual desktop infrastructure, registered new authentication devices to the account, and logged into the Workday payroll system.
Once they had logged into Workday, the crook changed the banking and direct deposit details to re-route the physician's paycheck into an attacker-controlled account.
REG AD
Using the company's own virtual infrastructure allowed the attacker to bypass security detections because the logins appeared to be a legitimate internal user with a trusted endpoint and internal IP address.
This is about process exploitation and the hijacking of identities, which makes it extraordinarily hard to identify malicious versus normal identity behavior
"With this one, the big thing that really stood out is that the attackers seem to be aware of the detection strategies against them," Dwyer said. "This attack was carried out purely outside of email and leveraging the trusted access through the VDI infrastructure. By abusing the organization's own virtual desktop infrastructure, so from a security tools point of view, everything looks normal and trusted."
The organization wasn't even aware that it had been compromised until the physician asked why they hadn’t been paid.
"It isn't always about technology hacking," Dwyer said. "This is about process exploitation and the hijacking of identities, which makes it extraordinarily hard to identify malicious versus normal identity behavior. Identity is the new perimeter, and this is a new threat vector in which your persona needs to be treated like a privileged asset, rather than just your computer or your phone."
In addition to underscoring the security threats around using shared mailboxes, this incident shows how payroll and HR platforms should be viewed as a high-value target for attackers, Dwyer added. For defenders, this requires treating payroll information as a telemetry stream for threat detection and treating payroll changes as high-risk financial events.
"The good news is we already have a model around this – lessons learned from wire fraud and pay and accounts payable fraud applies here," Dwyer said. "Changes that are made to direct deposit information should have to be confirmed in some mechanism, there should be a temporary holding period while it goes through some sort of fraud detection review, or something along those lines."
While organizations have the technology to do this, they don't necessarily have the processes in place to address this type of security and business risk, he added.
"Organizations need to consider direct deposit as a legitimate, viable threat vector," Dwyer said. "If I was a business leader, I would want to get ahead of this, because I wouldn't want to get into some sort of arbitration with an employee over a lost paycheck." ®