Payroll Diversion Fraud, Help Desk Social Engineering Steals Pay

Payroll Diversion Fraud Is Moving Upstream: Help Desks and Identity Recovery Are the New Entry Point

Payroll fraud used to look like a finance scam. A spoofed email hits HR, a direct deposit change gets processed, and the problem surfaces on payday. What is changing is the initial access path. Attackers are now targeting the identity recovery workflow itself, using help desk social engineering to reset passwords and multi-factor authentication, then using legitimate access to reach HR and payroll systems and reroute paychecks.

This shift matters because it bypasses many controls organizations built to stop malware and phishing. The attacker does not need to drop ransomware or exploit a vulnerability. They need a trusted workflow, a convincing story, and an internal process that treats account recovery as routine IT support rather than a security event.

What happened 

In the case described by The Register, a payroll diversion incident at a healthcare organization where the attacker relied primarily on people and process exploitation. The attacker accessed a shared mailbox, used it to understand internal context, then called the help desk impersonating a physician who urgently needed access to see patients. The help desk reset the password and reset MFA, effectively handing the attacker a clean identity takeover.

From there, the attacker authenticated through the organization’s virtual desktop infrastructure, registered new authentication devices, accessed the payroll platform, and changed direct deposit details to an attacker-controlled account. Because the activity came from a trusted internal environment, telemetry looked more like normal user behavior than an external compromise. The organization only realized something was wrong when the physician reported missing pay.

Why this attack pattern is hard to catch

It is identity theft disguised as normal operations

Traditional detection often keys on malware, suspicious email, impossible travel, or obvious brute force. Payroll diversion via help desk resets replaces those signals with authorized actions: password reset, MFA reset, successful login, payroll profile update. Many environments treat these events as routine noise rather than a correlated attack chain.

Trusted paths reduce scrutiny

Binary Defense highlighted a key tradecraft evolution: using VDI as an implicitly trusted access path to reach SaaS applications. If conditional access or monitoring is tuned to flag risky external access, VDI-originated sessions can look “safe” by default. That default trust creates a blind spot attackers can deliberately exploit.

HR and payroll SaaS is a financial impact shortcut

Microsoft has documented “payroll pirate” activity targeting HR platforms such as Workday, where attackers compromise identity, manipulate MFA and inbox rules, then change payroll elections or bank details. The incentive is simple: guaranteed cashout with low technical complexity.

InfoSight perspective: treat identity recovery and payroll changes as high-risk control points

Security programs still over-index on perimeter tooling while under-investing in workflow hardening. The practical lesson is that identity recovery is not IT support. It is a privileged action. Payroll changes are not HR self-service. They are a financial transaction.

This is the control mindset that closes the gap attackers are using.

Controls that reduce payroll diversion risk

1) Lock down help desk-driven account recovery

Account recovery is now an initial access vector. Controls need to reflect that.

Require high-assurance identity verification for password resets and MFA resets, with approval gates for high-risk roles and privileged access

Use out-of-band verification that does not rely on easily harvested personal information

Block same-call MFA reset plus password reset unless a second verifier approves

Record and audit recovery actions, then feed them into security monitoring as first-class signals

2) Make phishing-resistant MFA the default for sensitive access

Microsoft’s mitigation guidance for these campaigns emphasizes eliminating traditional credentials where possible and using phishing-resistant methods such as FIDO2 keys, Windows Hello for Business, or passkey-based approaches tied to authentication strength policies. This reduces the value of social-engineered resets and credential replay.

3) Treat payroll banking changes as high-risk events

Payroll diversion succeeds because changing direct deposit is often too easy.

Require step-up authentication for bank changes, even when the session is “trusted”

Add a hold period for newly changed direct deposit, plus secondary verification before funds route to a new account

Require dual approval for changes, separating requester identity from approver authority

Ensure notifications go to channels attackers cannot easily suppress

4) Correlate identity events with HR SaaS events

Attackers win in the seams between systems. Defenders need cross-system correlation.

Minimum correlations worth operationalizing:

Password reset or MFA reset followed by payroll banking change within 24–72 hours

New device or new MFA method registration followed by Workday payment election changes

VDI session initiation followed by first-time access to HR and payroll functions

5) Monitor for the specific artifacts attackers create

Microsoft documented inbox rule behavior designed to suppress Workday notifications and hide evidence, plus patterns like MFA device enrollment to maintain access. These are high-signal indicators when tied to payroll workflows.

Binary Defense also called out behavioral patterns such as repeated low-activity logins focused narrowly on payroll pages and administrative authentication factor changes initiated “on behalf of” a user. Treat those as security events, not administrative trivia.

Response actions when payroll diversion is suspected

Speed matters because payroll funds can move quickly through mule accounts or prepaid mechanisms, and the first external symptom can be a missing paycheck.

Operational priorities:

Revoke sessions and tokens for the affected identity, reset credentials, and remove unauthorized MFA methods

Review help desk logs and identity provider audit logs for reset events, device additions, and anomalous enrollment

Validate HR SaaS audit trails for payment election changes and profile modifications

Revert unauthorized payroll changes, notify payroll operations, and coordinate with the financial institution immediately

Expand scope: search for other identities with recent recovery events and similar payroll modifications in the same time window

Why this keeps happening

The FBI has warned for years that payroll diversion shows up as a BEC evolution, with HR and payroll teams receiving convincing change requests or attackers directly taking over accounts to alter routing. The underlying issue is structural: payroll workflows were designed for convenience and scale, not adversarial pressure.

As long as organizations treat identity recovery and payroll updates as low-friction self-service, attackers will keep choosing this path. It offers a clean profit model, low noise, and a high likelihood of late discovery.

Key takeaways for security, HR, and finance leadership

Help desk identity recovery is an initial access channel and needs security-grade controls

Trusted access paths like VDI should increase scrutiny, not reduce it

Payroll banking changes require step-up controls, verification, and correlation across identity and HR SaaS

Detection improves materially when password and MFA resets are linked to downstream payroll actions