- Attackers exploit help desk staff to gain unauthorized access to payroll system
- Social engineering allows hackers to redirect employee salaries without triggering alerts
- Targeting Individual Paychecks Keeps Attacks Under Control of Law Enforcement and Corporate Radar
Payroll systems are increasingly being targeted by cybercriminals, especially during periods when bonuses and year-end payments are expected.
Okta Threat Intelligence reports that attackers are focused less on breaking into infrastructure and more on exploiting human processes related to payroll access.
Instead of deploying ransomware or massive phishing campaigns, these actors aim to silently siphon off individual salaries by manipulating account recovery workflows.
Assistance services emerge as the weak link
Tracking a campaign known as O-UNC-034, Okta reported that attackers are calling corporate support services directly.
Posing as legitimate employees, they request password resets or account changes, relying on social engineering rather than technical exploits.
These calls have affected organizations in the education, manufacturing and retail sectors, indicating that no industry is the focus of attention.
Once access is granted, attackers attempt to register their own authentication methods to maintain control over the compromised account.
After taking over an employee’s account, attackers quickly move on to payroll platforms like Workday, Dayforce HCM, and ADP.
They alter banking details so that upcoming payments are redirected elsewhere, often without immediate detection.
Because theft targets individual paychecks, the financial losses may seem minor when considered in isolation.
This reduces the likelihood of rapid escalation or attention from authorities.
At scale, this approach can generate big profits and enable identity theft without triggering alarms linked to larger breaches.
Threat analysts suggest that individual wage theft is less egregious than large data breaches or extortion campaigns.
Attackers can further refine targets through basic reconnaissance, focusing on higher earners or employees slated for severance pay.
Previous campaigns relied on malvertising and credential phishing, but the shift toward live phone interactions reflects tactics that completely bypass technical defenses.
Antivirus tools offer little protection when attackers voluntarily obtain credentials during a compelling conversation.
Similarly, malware removal tools, while relevant to other threats, do not address this category of attacks.
The security guide emphasizes strict identity verification procedures for support staff handling account recovery requests.
Frontline support staff are discouraged from modifying authentication factors directly and instead issuing temporary access codes only after performing successful identity checks.
Organizations are also encouraged to limit access to sensitive applications to managed devices and apply greater scrutiny to requests that originate from unusual locations or networks.
“It’s interesting to see payroll fraud actors join the growing number of threat actor groups targeting help desk professionals to access user accounts,” says Brett Winterford, VP of Threat Intelligence at Okta.
“This situation underscores the importance of providing IT support staff with the tools they need to verify the identities of incoming callers and provide them with account recovery options that limit a dishonest caller’s ability to take over an account.”
Follow TechRadar on Google News and add us as a preferred source to receive news, reviews and opinions from our experts in your feeds. Be sure to click the Follow button!
And of course you can also follow TechRadar on TikTok for news, reviews, unboxings in video form and receive regular updates from us on WhatsApp also.
