**Payroll Pirates: Conning Help Desks to Steal Workers' Identities and Redirect Paychecks**

Imagine waking up one morning to find that your hard-earned paycheck has been diverted into the account of a stranger. For many workers, this nightmare scenario is becoming increasingly real as payroll pirates use social engineering tactics to exploit business processes and steal identities.

A recent case investigated by Binary Defense's threat research group ARC Labs highlights the sophistication and cunning of these attackers. In December 2025, a thief successfully redirected a physician's salary into their own account using a simple yet effective attack that started with a help-desk call.

"This was a combination of exploiting people and processes rather than technology," said John Dwyer, deputy CTO and head of Arc Labs. "It's technology-adjacent. This was identity theft from pure-play social engineering into exploiting a weaker-than-advised process internally to gain access."

The attackers gained access to the physician's account by compromising credentials belonging to a shared mailbox at a healthcare facility. While Binary Defenses' incident responders couldn't determine how the attacker obtained the credentials, Dwyer suspects that it may have been through an earlier breach.

Once inside, the attacker snooped around and determined whose identity to assume when calling the help desk to request a password and multi-factor authentication (MFA) reset. The fake physician's name and access-level checked out, so the help desk employee reset the password and MFA token, giving the attacker access to the account.

"The call basically went that this person can't log into their account, they have patients they need to see right now, they need to get immediate access," Dwyer recalled. This allowed the attacker to "recover" the physician's identity and authenticate from the healthcare organization's own virtual desktop infrastructure, registering new authentication devices to the account and logging into the Workday payroll system.

Once in the Workday system, the crook changed the banking and direct deposit details to re-route the physician's paycheck into an attacker-controlled account. This brazen attack highlights the ease with which attackers can exploit business processes and identities to steal sensitive information.

"This is about process exploitation and the hijacking of identities, which makes it extraordinarily hard to identify malicious versus normal identity behavior," Dwyer noted. "Identity is the new perimeter, and this is a new threat vector in which your persona needs to be treated like a privileged asset, rather than just your computer or your phone."

The case study underscores the security threats surrounding shared mailboxes and highlights how payroll and HR platforms should be viewed as high-value targets for attackers. To mitigate these risks, organizations must treat payroll information as a telemetry stream for threat detection and view payroll changes as high-risk financial events.

"The good news is we already have a model around this – lessons learned from wire fraud and pay and accounts payable fraud applies here," Dwyer said. "Changes that are made to direct deposit information should have to be confirmed in some mechanism, there should be a temporary holding period while it goes through some sort of fraud detection review."

While organizations possess the technology to implement these measures, they often lack the processes in place to address this type of security and business risk. "Organizations need to consider direct deposit as a legitimate, viable threat vector," Dwyer cautioned. "If I was a business leader, I would want to get ahead of this, because I wouldn't want to get into some sort of arbitration with an employee over a lost paycheck."

In the face of these evolving threats, organizations must prioritize identity protection and develop robust processes to detect and prevent payroll scams.