• Threat Research Center Insights Anatomy of an Attack Anatomy of an Attack: The Payroll Pirates and the Power of Social Engineering By:Randy Stone Randy Stone Published:January 16, 2026 Categories:Anatomy of an AttackInsights Anatomy of an Attack Insights Tags:MFAPhishingSEO poisoningSocial engineering MFA Phishing SEO poisoning Social engineering No employee wants their paycheck to go missing. • One organization learned about an incident when they started hearing exactly this complaint. • It turned out that an attacker had modified direct-deposit details in order to redirect an organization’s paychecks into attacker-controlled accounts. • What happened to this organization started with nothing more than a phone call. • In fact, findings in our2025 Unit 42 Global Incident Response Report: Social Engineering Editionsuggest that36%of all incidents Unit 42 engaged with began with a social engineering tactic. • This includes phishing, vishing, search engine optimization (SEO) poisoning, fake system prompts and help desk manipulation.
Article Summaries:
- An organization discovered that its employees’ paychecks were being redirected to attacker‑controlled accounts after a social‑engineering attack. The threat actor impersonated staff and manipulated help desks for payroll, IT, and HR, bypassing challenge‑response authentication and resetting passwords and MFA devices. Using publicly available data, the attackers gathered verification information, then registered an external email in the client’s Azure AD to establish persistence. Once inside the payroll system, they altered direct‑deposit details for multiple employees. The breach was uncovered when employees reported missing paychecks, prompting an internal investigation and a full‑scope engagement by Unit 42, which confirmed the incident and limited its impact.
Sources: