Hackers Hijack Paychecks via Fake Payroll Portals

Hackers are leveraging search engine optimization (SEO) poisoning to launch a new wave of payroll fraud attacks, security researchers at ReliaQuest report. By targeting employees on mobile devices, attackers create fake login pages that closely mimic legitimate corporate payroll portals. These spoofed sites appear prominently in search results when users look for company payroll platforms, tricking them into entering credentials that are immediately captured.

The stolen login details are used to access payroll systems, such as SAP SuccessFactors, and reroute salary deposits to attacker-controlled accounts. The campaign exploits weaker mobile security, particularly on guest Wi-Fi and cellular networks, and employs compromised home routers to obfuscate attacker locations. A WordPress-based phishing infrastructure selectively redirects mobile users to convincing Microsoft credential harvesters, while a real-time WebSocket system alerts attackers instantly upon successful credential capture. Security experts recommend deploying multi-factor authentication and monitoring for payroll changes to mitigate financial and reputational risks to organizations.