When Paychecks Become the Prize - A Deeper Look at the Rise of Direct Deposit Attacks
When Paychecks Become the Prize 🚀
Ransomware may dominate headlines, but some of the most effective modern attacks don’t rely on malware at all. Instead, attackers are exploiting identity workflows, trusted access paths, and payroll self-service features to quietly steal money — one paycheck at a time.
ARC Labs recently investigated an attack where an adversary redirected an employee’s salary by modifying direct deposit information in a payroll platform after compromising the user’s identity account. The attack was technically simple, operationally precise, and deliberately low-noise. This is not an anomaly; it’s a sign of where financially motivated attacks are heading.
Key Insights 🔍
- This attack was not invisible — but it was fragmented across systems that rarely talk to each other.
- When identity recovery, trusted access paths, and payroll self-service converge, attackers gain a low-noise path to direct financial theft.
- The initial access involved social engineering to reset the employee’s password and remove or reset existing MFA factors.
- The attacker logged into the payroll platform and modified the employee’s banking details, initiating the direct deposit change.
The Shift in Cybercrime 📈
Payroll platforms combine attributes attackers love: guaranteed financial impact, low technical complexity, and high trust with low scrutiny. Over the past year, cybersecurity research has shifted from treating payroll diversion as a niche fraud vector to recognizing it as a distinct and growing cybercrime category — especially where identity and HR systems intersect.
In 2025, security research began identifying persistent, campaign-level activity specifically focused on SaaS HR systems like Workday — not just isolated scams. Microsoft Threat Intelligence documented financially motivated campaigns, tracked as Payroll Pirates, targeting SaaS HR platforms to redirect employee paychecks.
Conclusion 🏁
The strategic takeaway is that this isn’t just a security problem; it’s a business risk created by process design. Organizations need to treat payroll changes as high-risk financial events and elevate identity recovery workflows to the same risk tier as privileged access.