Google Payroll Scam Redirects Paychecks to Hackers

Hackers are leveraging search engine optimization (SEO) poisoning techniques to deceive employees into handing over payroll credentials, according to findings from threat researchers. The campaign, first identified in May 2025 by cybersecurity firm ReliaQuest, targeted an unnamed manufacturing company. Attackers created fake payroll login pages that appeared in Google search results when employees searched for their payroll portals using mobile devices.

Once employees landed on the fraudulent sites, they unwittingly submitted login details, allowing attackers to redirect paychecks to accounts under their control. The method exploits common user behavior—seeking company resources via search engines—by manipulating search rankings to surface malicious links.

The campaign highlights the evolving sophistication of phishing tactics that bypass traditional email-based lures. By embedding fraudulent sites into legitimate search results, attackers increase the likelihood of success. Security experts urge organizations to educate staff on safe browsing practices and to implement security tools that detect and block deceptive domains in real time.