Post

When Paychecks Become the Prize - A Deeper Look at the Rise of Direct Deposit Attacks

When Paychecks Become the Prize - A Deeper Look at the Rise of Direct Deposit Attacks

When Paychecks Become the Prize 🚀

Ransomware may dominate headlines, but some of the most effective modern attacks don’t rely on malware at all. Instead, attackers are exploiting identity workflows, trusted access paths, and payroll self-service features to quietly steal money — one paycheck at a time.

ARC Labs recently investigated an attack where an adversary redirected an employee’s salary by modifying direct deposit information in a payroll platform after compromising the user’s identity account. The attack was technically simple, operationally precise, and deliberately low-noise. This is not an anomaly; it’s a sign of where financially motivated attacks are heading.

Key Insights 🔍

  • This attack was not invisible — but it was fragmented across systems that rarely talk to each other.
  • When identity recovery, trusted access paths, and payroll self-service converge, attackers gain a low-noise path to direct financial theft.
  • The initial access involved social engineering to reset the employee’s password and remove or reset existing MFA factors.
  • The attacker logged into the payroll platform and modified the employee’s banking details, initiating the direct deposit change.

The Shift in Cybercrime 📈

Payroll platforms combine attributes attackers love: guaranteed financial impact, low technical complexity, and high trust with low scrutiny. Over the past year, cybersecurity research has shifted from treating payroll diversion as a niche fraud vector to recognizing it as a distinct and growing cybercrime category — especially where identity and HR systems intersect.

In 2025, security research began identifying persistent, campaign-level activity specifically focused on SaaS HR systems like Workday — not just isolated scams. Microsoft Threat Intelligence documented financially motivated campaigns, tracked as Payroll Pirates, targeting SaaS HR platforms to redirect employee paychecks.

Conclusion 🏁

The strategic takeaway is that this isn’t just a security problem; it’s a business risk created by process design. Organizations need to treat payroll changes as high-risk financial events and elevate identity recovery workflows to the same risk tier as privileged access.

Read full article

This post is licensed under CC BY 4.0 by the author.