A newly identified phishing campaign, dubbed “Payroll Pirates” by threat researchers, is being used by cyber-criminals to gain access to employee accounts on HR-software platforms such as Workday and redirect paychecks into attacker-controlled bank accounts. The campaign has targeted U.S. universities and other organisations and has been active since early 2025.
How the Attack Works
The scam begins with highly convincing phishing emails sent to employees. These emails may reference urgent matters such as health exposures, payroll / benefits updates or internal investigations, and often impersonate trusted senders (e.g., university presidents, HR departments). The phishing links lead to adversary-in-the-middle (AiTM) pages that harvest login credentials and MFA codes as the user interacts.
Once the attacker obtains the credentials, they log into the employee’s email account and the HR platform (e.g., Workday) via single sign-on (SSO). In the email account they create inbox rules that delete or hide alerts and notifications from the HR system about changes being made, thereby reducing the chance the employee will notice the unauthorised activity.
In the HR system the attacker modifies the payroll or direct-deposit settings of the employee—changing bank account details so that future salary payments are routed to an account under the attacker’s control. They may also enrol their own MFA device or phone number for the victim account to ensure persistence of access.
Scope & Impact
Researchers have observed this campaign across multiple U.S. educational institutions. For example, one investigation found that between March 2025 and mid-2025, 11 employee accounts at three universities were compromised, leading to phishing emails being sent to nearly 6,000 other accounts across 25 institutions.
Although Workday itself is not reported to have a vulnerability in the platform, the scheme exploits weak or absent multifactor authentication (MFA) and heavy reliance on credentials plus email/SaaS access. The financial impact can be significant: diverted paychecks mean real monetary loss for employees and reputational/detection risk for organisations.
Why It’s So Effective
Several factors make the “Payroll Pirate” campaign particularly dangerous:
-
The phishing emails are context-targeted and credible (e.g., referencing HR, health, faculty matters).
-
The attackers exploit not just the initial compromise but set up persistence mechanisms (e.g., MFA device enrolment, inbox rules) to avoid detection.
-
Because payroll systems control direct deposit, changing that data has immediate financial consequences.
-
Organisations often lack comprehensive visibility across email + HR systems, so the sequence of events (email compromise → HR system access → payroll change) is hard to detect and respond to in real time.
What Organisations Should Do
To mitigate these kinds of attacks, security professionals and senior leaders should consider the following:
-
Enforce phishing-resistant MFA (e.g., hardware security keys, FIDO2, passkeys) rather than relying solely on SMS or app-based codes.
-
Monitor for suspicious email-rules (in mailbox systems) that delete or move messages from HR-related services, and alert on unusual account behaviour.
-
Audit HR system logs for “change my account”, “manage payment elections” or other direct-deposit or bank-account modification events, especially when paired with new MFA device enrolments.
-
Ensure HR systems and email systems are correlated in monitoring: for example, when a mailbox rule is created AND a payroll change happens shortly after, that should raise an alert.
-
Raise awareness among employees—especially in payroll, HR and faculty/staff—that payroll-related emails can be phishing lures, even when they appear internally plausible.
-
Regularly review and clean up MFA device lists, enrolments of new devices, and ensure that unexpected device additions or phone numbers are verified.
Executive & Risk Perspective
From a board/leadership perspective, this campaign signals a couple of broader risk themes:
-
Control & process risk: It isn’t a product vulnerability that is exploited, but the alignment of multiple weak controls and human-factor vulnerabilities (phishing + weak MFA + mailbox rules + payroll access) that creates major exposure.
-
Financial & reputational risk: Diverted payroll payments create direct monetary loss, possible regulatory scrutiny (especially in education institutions), and materially affect trust in HR/business-operations processes.
-
Cross-system risk recognition: Attacks that span email systems and HR/payroll systems require integrated visibility—security teams must bridge siloed domains (identity, email, HR systems) to detect and respond effectively.
Final Thoughts
The “Payroll Pirate” campaign reminds us that even well-established cloud services and HR platforms can be compromised through chain-attacks that exploit human factors and weak authentication rather than technical flaws. Organisations using SaaS systems for payroll, HR or bank-account management should treat these as high-risk systems and apply the same rigorous controls typically reserved for financial transaction systems.
The key takeaway: protecting employee bank-account settings and payroll data is not just an HR IT issue—it is a cyber-risk, financial-risk and business-continuity issue.
