Virtual Event: Threat Detection and Incident Response Summit - Watch Sessions
Connect with us

Hi, what are you looking for?



FBI Warns of Cyber-Thieves Targeting Payroll Accounts

Cybercriminals are targeting the online payroll accounts of employees in a variety of industries to divert funds, the Federal Bureau of Investigation (FBI) warns.

Cybercriminals are targeting the online payroll accounts of employees in a variety of industries to divert funds, the Federal Bureau of Investigation (FBI) warns.

According to an alert from the FBI’s Internet Complaint Center (IC3), numerous such attacks have been already reported, with education, healthcare, and commercial airway transportation being the most impacted industries.

The preferred attack method is phishing, which allows cybercriminals to capture an employee’s login credentials. Armed with this information, the cybercriminals then access the employee’s payroll account and swiftly change their bank account information.

The cyber-thieves also add rules to the employees’ payroll accounts to ensure that they do not receive alerts regarding direct deposit changes. Next, the attackers change direct deposits and redirect them to accounts they control.

Payroll diversion, the FBI says, can be mitigated through educating employees about the scheme and through informing them on preventative strategies and appropriate reactive measures they should take once a breach has occurred.

“Instruct employees to hover their cursor over hyperlinks included in emails they receive to view the actual URL. Ensure the URL is actually related to or associated with the company it purports to be from,” the FBI says.

Phishing relying on URLs is successful due to the use of links that closely resemble those of websites owned by the organizations they purport to be from, but instead take the victim to pages controlled by the attackers.

Advertisement. Scroll to continue reading.

The FBI also notes that instructing employees to not provide log-in credentials or personally identifying information in response to any email should mitigate phishing risks as well. Employees should also be taught to forward any suspicious requests for personal information to the information technology or human resources department.

Organizations should also ensure that the credentials used for payroll purposes are different from those used for other purposes. Heightened scrutiny to bank information initiated by employees when looking to update or change direct deposit credentials and monitoring employee logins that occur outside normal business hours should also mitigate the risks associated with payroll diversion.

Furthermore, organizations are advised to restrict access to the Internet on systems handling sensitive information and to consider adopting two-factor authentication for access to sensitive systems and information. Allowing only required processes to run on systems handling sensitive information is yet another mitigating factor.

Related: BEC Scam Losses Top $12 Billion: FBI

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

SecurityWeek’s Threat Detection and Incident Response Summit brings together security practitioners from around the world to share war stories on breaches, APT attacks and threat intelligence.


Securityweek’s CISO Forum will address issues and challenges that are top of mind for today’s security leaders and what the future looks like as chief defenders of the enterprise.


Expert Insights

Related Content


The changing nature of what we still generally call ransomware will continue through 2023, driven by three primary conditions.


Luxury retailer Neiman Marcus Group informed some customers last week that their online accounts had been breached by hackers.


As it evolves, web3 will contain and increase all the security issues of web2 – and perhaps add a few more.


A recently disclosed vBulletin vulnerability, which had a zero-day status for roughly two days last week, was exploited in a hacker attack targeting the...


Satellite TV giant Dish Network confirmed that a recent outage was the result of a cyberattack and admitted that data was stolen.


Zendesk is informing customers about a data breach that started with an SMS phishing campaign targeting the company’s employees.

Artificial Intelligence

The release of OpenAI’s ChatGPT in late 2022 has demonstrated the potential of AI for both good and bad.

Artificial Intelligence

The degree of danger that may be introduced when adversaries start to use AI as an effective weapon of attack rather than a tool...