Payroll Pirates Target Employee Salaries
Payroll Pirates are hijacking HR software accounts to steal salaries from employees. A recent report from researchers revealed that the group, also known as Storm-2657, is attacking U.S.-based organizations, especially universities and other large employers.
However, experts warn that any company using online HR or payroll systems could be at risk. The attacks aim to reroute salary payments to bank accounts controlled by criminals.
How the Attacks Work
These hackers do not exploit software bugs. Instead, they rely on social engineering and weak security setups. They trick employees into revealing passwords and authentication codes through fake login pages sent via phishing emails.
Therefore, once the attackers gain access, they change payroll details to redirect payments. They also delete warning emails to stay undetected and enroll their own phone numbers as new multi-factor authentication (MFA) devices.
Examples from Recent Campaigns
In early 2025, one campaign targeted higher education staff. Attackers sent phishing links designed to capture both credentials and MFA codes. The stolen information gave them access to employee email and HR profiles through single sign-on systems.
For example, one report found that at least 11 accounts across three universities were compromised. Those accounts then sent nearly 6,000 phishing emails to other institutions. The messages often mentioned illnesses or misconduct, creating panic and prompting quick clicks.
Wider Impact Across Industries
Investigators found that Payroll Pirates have expanded beyond education. They have also targeted government offices, insurance groups, and retail employers. These sectors often have many staff members who may overlook small payroll changes.
Moreover, the attackers have created over 150 fake domains to support their phishing operations. Some campaigns may even aim to gather personal data for future identity theft.
How to Defend Against Payroll Pirates
Organizations can reduce risks by using phishing-resistant MFA methods like security keys. They should also enable alerts for any changes to banking or contact information within HR systems.
Additionally, it helps to adopt continuous monitoring services that detect suspicious account behavior and unauthorized MFA enrollments. Cybersecurity platforms offering advanced threat intelligence and anti-phishing protection can also prevent such incidents before they cause financial loss.
Preventing Future Payroll Threats
To prevent payroll hijacking, companies should train employees to spot fake login pages and suspicious emails. Regular reviews of HR and payroll settings are essential.
Furthermore, advanced monitoring tools can automatically block fraudulent sign-in attempts and alert admins to unusual account activity. With stronger verification, smart automation, and continuous scanning, organizations can stay one step ahead of the Payroll Pirates.
Sleep well, we got you covered.
