Cybercriminals Targeting Payroll Sites

Microsoft is warning of a scam involving online payroll systems. Criminals use social engineering to steal people’s credentials, and then divert direct deposits into accounts that they control. Sometimes they do other things to make it harder for the victim to realize what is happening.

I feel like this kind of thing is happening everywhere, with everything. As we move more of our personal and professional lives online, we enable criminals to subvert the very systems we rely on.

Tags: , , ,

Posted on November 4, 2025 at 7:05 AM4 Comments

Comments

KC November 4, 2025 9:02 AM

Why, in part, target higher-ed?

I don’t know who will ultimately be out the money, but gosh, I’d be highly tempted to enforce MFA.

To mitigate the risk posed by Storm-2657, it’s recommended to adopt passwordless, phishing-resistant MFA methods such as FIDO2 security keys, and review accounts for signs of suspicious activity, such as unknown MFA devices and malicious inbox rules.

The phishing lure themes were/are ones I imagine could be effective. Subjects like Covid/communicable illness, conduct reports, compensation/benefits updates. Ugh.

Does anyone have thoughts on setting up FIDO2 security keys?

fred.bloggs November 4, 2025 10:53 AM

I’m on a personal crusade to stop having a person’s birthdate as an authentication item. It is simply too widely visible.

For example, a Driver’s License will have name, birthdate, address and facial photo information, and the same would be true of a passport.

Many companies use “birthdate” as an “authenticator”; I suspect that a stronger reason is that a name, such as “Fred Bloggs”, might not be sufficiently unique, and appending the birthdate significantly helps with disambiguation.

Finally, a warning: If strong “Age Fencing” on content is enforced, such as in the proposal by the Australian Government, then birthdate proliferation will significantly increase. Expect scammers, and also advertisers, to take full advantage of the increased proliferation of birthdates.

Me, I tell sites that I was born in about 1932 (it varies, but is rarely much younger), and this cuts down on age-related advertising quite nicely. I use a password manager, and record the fake birthdate for each site there. However, I do not lie in situations where lying is an offense (e.g. Govt departments, financial/insurance, etc.)

Andy November 4, 2025 11:24 PM

There are verifiable examples of SaaS based HR systems including the prominent being accessed and manipulated (with valid accounts) by actors to redirect things like paystubs or expense reimbursements.

Where fractional transactions are possible it becomes a superman/office space heist. As a worker there isn’t much you can do but check your dispersements regularly. As an org there is hopefully a way you’re collecting and monitoring for anomalies in logs and tampering with logging controls. If not there’s a whole category of paid tools around this space.

Clive Robinson November 5, 2025 4:39 AM

@ fred blogs, ALL,

With regards,

“… to stop having a person’s birthdate as an authentication item. It is simply too widely visible.”

It’s something that legislators and politicians will fight every which way to keep. Because as pointed out of the ages old problem,

“The Law is an ASS”

It comes 1838 and the pen of Charles Dickens, who wrote it into “Oliver Twist”. But for him to have been allowed to do so, even then it must have been part of the “excepted public view” so started way way before that in middle class and above circles.

The problem is who do you decide who gets the protection of the law and it’s due to supposed maturity.

So you are mostly free from the direct effects of the law under the age of 7 or 11, you are then subject to sanction after sanction including how much you can earn untill you are 18 or 21. Then you were banned from certain positions in life untill you were 35 (still applies in the US). Then there are “benefits” you get for being to old to be worked to death any more such as retirment and pension/ seniors “benifits”.

The fact that fewer and fewer live long enough to get those benefits tells you what is really behind the notion of “being old and a burden on the state”.

But the point the law makes is it must have fences and because every one is assumed to be to dim witted to judge when a fence applies or not, they take time periods of the Earth’s rotation as something we can all say complies with the notion that,

“Justice is blind”

But it’s a foolishness in of it’s self,

Firstly by what point do you apply it?

In the timezone a person was born in or the timezone it’s being applied?

But consider what change as a person do you under go between 5secs to Midnight and 5seconds after midnight?

I could go on and on but consider this,

How much legislation and cost has been added simply to “undo the fences”?

Physical age is only partly based on chronological age, and even worse mental age and capability is based more on experience and the environment we are pushed into other than time.

But “age” has always been a problem, how do you decide how old a person standing before you is?

Simple answer is mostly you can not so you just guess and call it an assumption. Hence the reason for the massive business of “Fake id’s to buy beer”. The problem is moved from a person to a card, only it’s not.

I’ve pointed out several times that there is no way you can make a system that is secure from impersonation. Because there is always a gap between a physical object snd an information object. And because there is a gap it’s open to exploitation. And that’s when “market forces come into play” if enough people want to exploit the gap then others will supply for a price a solution as people demand.

We saw this with “set top boxes” for cable and satellite TV, I found several “exploits” and shared them with friends. Some of whom turned them into products manufactured abroad and imported and sold.

The reason why this was possible was that the operators decided not to put sufficient effort into “security” from day 1 and thus there were many gaps to be all to easily exploited.

The same applies to anything else that is,

“How many gaps that you can close, should you close?”

It’s a basic economic issue, but with a twist I’ve mentioned before which is,

“How much spending on defences is enough so that you don’t get attacked?”

The answer is,

“As long as you are not being attacked it’s probably to much.”

But time and technological advance moves the “cost” usually to the benefit of an attacker and the loss of a defender.

It you think about it there are so many gaps in “OnLine verification” that the cost of eliminating them will be next to impossible to find.

Mean while such attempts by politicians and legislators always introduce security issues.

In the case of the UK Online Safety Act, it’s created a “back door” for Data Brokers to slime their way into to make a lot of money from. And the neo-con mantra about not leaving money on the table/floor means that they will slime through faster than a speeding bullet. And guess what they already have.

This is such lucrative business that the data brokers are already busy lobbying legislators and faking up loud noisy campaigns from the “Useful Idiots” in other countries.

I could go on about the Government Agencies “buying the data back” and making the problem worse, but if you’ve been a reader here for any length of time you will be aware of it.

So NO I don’t think “Age Restrictions” will be removed, for various reasons, but primarily because there is to much profit involved, that it’s going to be more lucrative than “The War on Terror” for all sorts of crooks and criminals, especially politicians.

Leave a comment

Blog moderation policy

Login

Allowed HTML <a href="URL"> • <em> <cite> <i> • <strong> <b> • <sub> <sup> • <ul> <ol> <li> • <blockquote> <pre> Markdown Extra syntax via https://michelf.ca/projects/php-markdown/extra/

Sidebar photo of Bruce Schneier by Joe MacInnis.