Attackers Redirect Employee Paychecks, No System Breach

A seemingly simple phone call enabled a sophisticated attack that diverted employee paychecks, all without malware or a network breach.

An organization discovered this fraud when workers reported missing salary deposits. The attacker had modified direct-deposit information to funnel payments into accounts under their control.

This incident reveals a troubling trend where threat actors are abandoning complex technical methods and turning instead to social engineering that targets human vulnerability.

The attack began with social engineering tactics, a method increasingly favored by threat actors. According to Palo Alto Networks’ 2025 Unit 42 Global Incident Response Report, 36 percent of incidents examined started with social engineering campaigns.

The attacker impersonated employees and contacted multiple help desk teams across payroll, IT, and HR departments.

By gathering publicly available information from social media platforms, the attacker collected enough personal details to answer verification questions.

They then convinced help desk staff to reset passwords and re-enroll multi-factor authentication devices.

The attacker even called back repeatedly to identify which verification questions were being asked, improving their chances of success on subsequent attempts.

Palo Alto Networks analysts identified the attack’s persistence mechanism as particularly concerning. The threat actor registered an external email address as an authentication method within the organization’s Azure Active Directory environment.

This step demonstrated clear intent to maintain access beyond the immediate payroll theft. The attacker systematically compromised multiple employee accounts to access sensitive payroll data.

Once authenticated, the attacker modified direct-deposit information for several workers, redirecting their salary payments to attacker-controlled bank accounts.

The fraudulent activity went undetected for weeks because the legitimate credentials and valid multi-factor authentication made the transactions appear normal.

The Help Desk Vulnerability: A Critical Security Gap

Help desk operations represent one of the most overlooked security weak points in modern organizations.

Password resets and MFA re-enrollment procedures, when not properly secured, become high-impact vulnerabilities.

This incident demonstrates how human-driven workflows can bypass all technical safeguards.

Attackers understand that social engineering requires no malware development, exploit discovery, or network intrusion skills.

They simply need persuasive communication and publicly available information.

The investigation eventually contained the impact to three employee accounts, but it revealed deeper systemic issues throughout the organization’s security infrastructure.

Disclaimer: HackersRadar reports on cybersecurity threats and incidents for informational and awareness purposes only. We do not engage in hacking activities, data exfiltration, or the hosting or distribution of stolen or leaked information. All content is based on publicly available sources.