- Attackers exploit help desk personnel to gain unauthorized access to the payroll system
- Social engineering lets hackers redirect employee paychecks without triggering alerts
- Targeting individual paychecks keeps attacks under law enforcement and corporate radar
Payroll systems are increasingly targeted by cybercriminals, especially during periods when bonuses and end-of-year payouts are expected.
Okta Threat Intelligence reports that attackers are focusing less on breaking into infrastructure and more on exploiting human processes around payroll access.
Instead of deploying ransomware or mass phishing campaigns, these actors aim to quietly divert individual wages by manipulating account recovery workflows.
Helpdesks appear to be the weak link
Tracking a campaign known as O-UNC-034, Okta reported that attackers are calling the company’s help desks directly.
They pose as legitimate employees and request password resets or account changes, relying on social engineering rather than technical exploits.
These calls have affected organizations across the education, manufacturing and retail sectors, indicating that no single industry is the focus.
Once access is granted, attackers attempt to register their own authentication methods to maintain control of the compromised account.
After taking over an employee account, attackers quickly move to payroll platforms such as Workday, Dayforce HCM and ADP.
They change bank details so that future payments are diverted elsewhere, often without immediate detection.
Because the theft targets individual paychecks, the economic losses may appear smaller when viewed in isolation.
This reduces the likelihood of rapid escalation or police attention.
At scale, this approach can yield big returns and enable identity theft without triggering the alarms associated with major breaches.
Threat analysts suggest that stealing individual wages is less conspicuous than large data breaches or extortion campaigns.
Attackers can further refine targets through basic reconnaissance, focusing on higher earners or employees scheduled for severance payments.
Previous campaigns relied on malvertising and credential phishing, but the shift to live phone interactions reflects tactics that bypass technical defenses entirely.
Antivirus tools offer little protection when attackers obtain credentials voluntarily during a convincing conversation.
Likewise, malware removal tools, while relevant to other threats, do not address this category of attack.
Security guidance emphasizes strict identity verification procedures for support staff handling account recovery requests.
First-line help desk staff are discouraged from changing authentication factors directly, instead only issuing temporary passwords after successful identity verification.
Organizations are also encouraged to limit access to sensitive applications to managed devices and apply greater controls to requests originating from unusual locations or networks.
“It’s interesting to see payroll fraudsters join the growing number of threat actor groups targeting help desk professionals to gain access to user accounts,” said Brett Winterford, Vice President of Threat Intelligence at Okta.
“This situation underscores the importance of giving IT support staff the tools they need to verify the identity of incoming callers and providing them with account recovery options that limit the opportunity for a rogue caller to take over an account.”
Follow TechRadar on Google News and add us as a preferred source to get our expert news, reviews and opinions in your feeds. Be sure to click the Follow button!
And of course you can too follow TechRadar on TikTok for news, reviews, video unboxings, and get regular updates from us on WhatsApp also.
