Cybersecurity teams have identified an undercover network of hackers targeting HR and Payroll Systems. They started out hitting the education and manufacturing industries, but with 200 interfaces and over 500,000 users targeted and attacked already, they are increasingly expanding. Named the Payroll Pirates, these cybercriminals will target an employee’s payroll record to steal their credentials and redirect pay. They hijack processes and steal wages rather than steal data, and often leave without a trace. As payroll systems become more digital and self-service driven, understanding how these attacks work and what companies can do to prevent them has never been more important.

So how do these hackers get in? They use phishing and malvertising by placing false ads in search engines. When an employee clicks it, they are directed to a fake landing page where they may enter their credentials. The cyber-attacker captures these credentials and enters them into the payroll system. Sometimes, they can even capture data on how to bypass Multi-Factor Authentication and security measures. Once inside, they change direct-deposit details and route paychecks into their bank accounts. They can even make email rules, so the employee is unaware that their pay routing has been changed or that they have even been hacked until the paychecks are missing, and it is too late, the funds are rerouted.

Payroll system hacks are concerning for organizations as a whole, but they can directly affect HR, causing direct financial loss for employees and a reputational impact if the payroll system is compromised. There is also an increased legal and compliance risk if personal data is misused; moreover, if the HR systems integrate with employee performance, benefits, health information, and personal banking information.

Hackers have gotten very creative, but there are still measures you can take to keep your employees and your organization safe. Start by reviewing your internal process for payroll changes and credential changes, and involve your IT department or partner with an IT/security company. They can conduct simulated phishing tests and recommendations for improved policies to ensure the highest possible compliance and security. IT procedures for resetting passwords or releasing credential information should involve additional identification requirements to prevent hackers from gaining access and pretending to be the employee. Your payroll system needs to be more than just password-protected; It should also include a form of MFA (Multi-Factor Authentication). If your payroll is run by a separate company, then it is recommended that you verify their processes are safe with additional security as well. A way to enforce this is by requiring dual approval from HR and payroll for any direct-deposit or payroll changes. Reducing risk includes educating employees on unsafe ads and URLS and encouraging them to always use the safe links provided to them to access their pay. Additionally, train your employees to look out for multiple failed login attempts, new email rules, and unauthorized payroll changes. Report them immediately.

Payroll pirates rely on trust, speed, and distraction to succeed. While no system is completely protected from cyber threats, strong internal controls, employee awareness, and close collaboration between HR, payroll, and IT can significantly reduce risk. By requiring multiple sign-offs for payroll changes, verifying requests, and staying alert to suspicious activity, organizations and employees can help protect both wages and sensitive data. As technology advances, these cyberattacks are likely to evolve as well. It is important that HR stay vigilant and proactive in prevention.

ASE Connect

SensCy - ASE and SensCy partner to provide ASE members with access to SensCy's comprehensive cybersecurity solutions tailored to meet the unique challenges facing small and medium-sized organizations today. For more information, contact Dana Weidinger. Book a time for your complimentary SensCy cybersecurity assessment here.

Sources: itbrew.com; okta.com; blog.checkpoint.com; Microsoft.com