Cybercriminals are exploiting employees’ reliance on search engines to access payroll portals, launching sophisticated phishing campaigns that redirect paychecks into fraudulent accounts. By leveraging search engine optimization (SEO) poisoning and malicious advertisements, attackers are deceiving users into entering credentials on counterfeit login pages.

Organizations utilizing platforms such as Workday, SAP SuccessFactors, and Deel have been primary targets. High-profile entities, including the University of California system, Kaiser Permanente, Macy’s, and New York Life, have reported incidents where employee paychecks were diverted due to these scams.

How the Scam Operates

  1. Deceptive Search Results: Employees searching for their company’s payroll or HR portals on platforms like Google encounter malicious ads or SEO-manipulated links that appear legitimate.SC Media+1The Hacker News+1
  2. Fake Login Pages: Clicking these links directs users to counterfeit login pages mimicking platforms such as Microsoft 365 or Workday. These pages are often tailored for mobile devices, exploiting the fact that employees frequently access payroll systems via smartphones.
  3. Credential Theft and Account Compromise: Once credentials are entered, attackers gain unauthorized access to payroll systems, altering direct deposit information to reroute salaries to their own accounts. In some instances, attackers utilize tools like Pusher to receive real-time alerts upon credential submission, enabling swift exploitation.

Protective Measures

The increasing sophistication of phishing attacks targeting payroll systems underscores the need for heightened vigilance among both employees and employers. By adopting proactive security measures and fostering a culture of cybersecurity awareness, organizations can mitigate the risk of payroll diversion scams.

For Employees:

  • Direct Access: Always navigate to payroll portals by typing the URL directly or using official bookmarks.
  • Verify Links: Be cautious of sponsored search results and verify URLs before clicking.
  • Monitor Accounts: Regularly check direct deposit information and report any unauthorized changes immediately.

For Employers:

  • Employee Education: Conduct training sessions to raise awareness about phishing tactics and safe browsing practices.
  • Implement Multi-Factor Authentication (MFA): Require MFA for access to payroll systems to add an extra layer of security.
  • Monitor for Suspicious Activity: Regularly audit payroll changes and monitor for unusual login patterns or IP addresses.

For more on how these scams operate and tips on prevention, contact us at [email protected]