- Attackers exploit help desk staff to gain unauthorized access to the payroll system.
- Social engineering allows hackers to redirect employee salaries without triggering alerts
- Targeting individual salaries keeps attacks under the radar of law enforcement and businesses.
Payroll systems are increasingly targeted by cybercriminals, especially during periods when bonuses and end-of-year payments are expected.
Okta Threat Intelligence reports that attackers are less focused on intruding on infrastructure and more on exploiting the human processes surrounding payroll access.
Rather than deploying ransomware or massive phishing campaigns, these actors aim to discreetly hijack individual salaries by manipulating account recovery workflows.
Support services appear to be the weak link
Tracking a campaign known as O-UNC-034, Okta reported that attackers were calling the company’s support services directly.
Posing as legitimate employees, they request password resets or account changes, relying on social engineering rather than technical exploits.
These calls have affected organizations in the education, manufacturing and retail sectors, indicating that no single sector is the center of attention.
Once access is granted, attackers attempt to record their own authentication methods to maintain control of the compromised account.
After taking over an employee’s account, attackers quickly turn to payroll platforms like Workday, Dayforce HCM, and ADP.
They change bank details so that future payments are redirected elsewhere, often without immediate detection.
Since the theft targets individual paychecks, financial losses may seem minor when considered in isolation.
This reduces the likelihood of rapid escalation or attention from law enforcement.
At scale, this approach can generate significant returns and enable identity theft without raising alarms related to larger breaches.
Threat analysts suggest that individual wage theft is less visible than large-scale data breaches or extortion campaigns.
Attackers can further refine their targets through basic reconnaissance, focusing on higher-paid employees or employees due to receive severance packages.
Previous campaigns relied on malvertising and credential phishing, but the shift to live phone interactions reflects tactics that completely bypass technical defenses.
Antivirus tools offer little protection when attackers intentionally obtain credentials during a convincing conversation.
Likewise, malware removal tools, while relevant for other threats, do not address this category of attacks.
Security guidelines emphasize strict identity verification procedures for support staff handling account recovery requests.
Frontline help desk staff are advised not to directly change authentication factors, but only issue temporary access codes after successful identity checks.
Organizations are also encouraged to limit access to sensitive applications to managed devices and apply greater scrutiny to requests from unusual locations or networks.
“It’s exciting to see payroll fraudsters join the growing number of threat actor groups targeting help desk professionals to gain access to user accounts,” said Brett Winterford, vice president of Threat Intelligence at Okta.
“This situation highlights the importance of giving IT support staff the tools they need to verify the identities of incoming callers and providing them with account recovery options that limit a malicious caller’s ability to take over an account.”
Follow TechRadar on Google News And add us as your favorite source to get our news, reviews and expert opinions in your feeds. Make sure to click the Follow button!
And of course you can too follow TechRadar on TikTok for news, reviews, unboxings in video form and receive regular updates from us on WhatsApp Also.
