You may be familiar with the story of bank robber Willie Sutton who, after being nailed by the cops, was asked why he robbed the bank. His answer (undoubtedly delivered in the most deadpan voice one can imagine): "Because that's where the money is."

Although criminals have gone high tech since the days of that old fashioned, pistol-packing bank robber, their motivations remain essentially unchanged. Over the past month or so we've been reminded of that very basic truth while watching the surge in phishing emails targeting payroll operations. Why target payroll? Because that's where the money is.

These phishes, which are almost all examples of CEO Fraud, take several different forms.

Pay Stub Phishing

A new strain of payroll phishes that has surfaced over the past few months involves phishing emails requesting copies of pay stubs and wage statements. Both are year-round social engineering attacks that expand on the W-2 phishing campaigns which erupt at tax season. Very familiar with the ways in which this kind of confidential employee data can be exploited for fraud, some malicious actors are now turning to phishing attacks targeting the same kind of data, but now during the whole year.

These malicious emails are simple, direct, and dispense with any attempt to construct believable backstories or pretexts for the request. In short, they invite an unthinking, reflexive response from targeted users.

Screenshot #1

Several things eventually caught our eye. First, these phishing emails use almost identical language with small variations. Second, every single example that we've seen uses an oddball email address, all with nonsense usernames of similar length. We strongly suspect that this particular campaign is being run by a single group of malicious actors, and that this group is having success with the campaign, as it seems to have expanded significantly over the past 2-3 months.

Whoever this group is, the pay stub phishes we've seen tell us that these bad guys have done their research. These phishes spoof presidents, CEOs, and other C-level executives within targeted organizations. Moreover, these phishes almost unfailingly seem to land in the inboxes of employees whose work involves payroll processing.

Payroll Updates

Not content to nibble around the edges with fraudulent schemes based on purloined payroll data, some malicious actors have elected to go straight for the money with spoofed requests to change the bank accounts used to deposit the paychecks of CEOs, presidents, and other senior executives within targeted organizations.

Consider this rather simple email, which requests that employees in the payroll department of the targeted organization change the direct deposit information for a senior employee in the company:

Screenshot #1

Unfortunately, many of the targeted payroll employees have proven all too eager to respond to these requests, offering various forms of assistance.

Some employees respond by pointing the bad guys to online payroll services where they could presumably make the requested change themselves -- had they the login credentials to do so, of course.

Other employees helpfully request a voided check so that they can make the requested changes immediately without any further effort on the part of the bad guys.

Both of these responses have typically stymied the bad guys. These would-be fraud artists either don't have the required login credentials for the online payroll service or they lack a cancelled check for the account they wish to start receiving direct deposits. Their usual response is to plead some form of inability to access the payroll service or to claim that their checkbooks have mysteriously taken a walk.

Adapt or Get Fleeced

There's a very clear lesson for employees to learn here. You can't expect all the bad guys to be completely inept all of the time. Life just isn't that easy, much to our chagrin. Yes, they do make mistakes. But they learn fast from those mistakes. They adapt. And then they come back to take another run at your organization's money and resources.

If your employees aren't learning and adapting as well, there may well come a day when some employees in your organization suddenly discover they aren't receiving paychecks any more, or they may wake up to find their identities have been hijacked and their tax refunds stolen. Then everyone lawyers up and life becomes very unpleasant for all involved.

And here's the thing: no anti-virus application is going to stop that from happening. There is no malware to be found here. Only users who have been stepped through the latest New-school Security Awareness Training will ensure that everyone's money stays where it's supposed to.

We strongly suggest you get a quote for new-school security awareness training and find out how affordable this is for your organization. You simply have got to start training and phishing your users ASAP, because your filters never catch all of it. Get a quote now and you will be pleasantly surprised:


Kemper Technology Consulting logo

KnowBe4 Logo