Payroll scam hits U.S. universities as phishing wave tricks staff

Payroll scam hits U.S. universities as phishing wave tricks staff

The attacks have been going since March 2025

by Kurt Knutsson
image_printPrint this article

Phishing scams target every kind of institution, whether it’s a hospital, a big tech firm, or even a fast-food chain. Educational institutions aren’t an exception, especially in 2025, when attackers are actively directing their efforts toward them. Universities across the U.S. are facing a new type of cybercrime where attackers are targeting staff to hijack salary payments. Researchers have discovered that since March 2025, a hacking group known as Storm-2657 has been running “pirate payroll” attacks, using phishing tactics to gain access to payroll accounts. Let’s talk more about this attack and how you can stay safe.

 

 

A person is using a PC

 

How does the university payroll scam work

According to Microsoft Threat Intelligence, Storm-2657 primarily targets Workday, a widely used human resources platform, though other payroll and HR software could be at risk as well. The attackers begin with highly convincing phishing emails, carefully crafted to appeal to individual staff members. Some messages warn of a sudden campus illness outbreak, creating a sense of urgency, while others claim that a faculty member is under investigation, prompting recipients to check documents immediately. In some cases, emails impersonate the university president or HR department, sharing “important” updates about compensation and benefits.

These emails contain links designed to capture login credentials and multi-factor authentication (MFA) codes in real time using adversary-in-the-middle techniques. Once a staff member enters their information, the attackers can access the account as if they were the legitimate user. After gaining control, the hackers set up inbox rules to delete Workday notifications, so the victims do not see alerts about changes. This stealthy approach allows the attackers to modify payroll profiles, adjust salary payment settings, and redirect funds to accounts they control, all without raising immediate suspicion.

Sample Phishing email

Microsoft

 

Hackers are exploiting universities at scale

The hackers don’t stop at a single account. Once they control one mailbox, they use it to spread the attack further. Microsoft reports that from just 11 compromised accounts at three universities, Storm-2657 sent phishing emails to nearly 6,000 email addresses at 25 institutions. By using trusted internal accounts, their emails appear more legitimate, increasing the likelihood that recipients will fall for the scam.

To maintain access over time, the attackers sometimes enroll their own phone numbers as MFA devices, either through Workday profiles or through Duo MFA. This gives them persistent access, allowing them to approve further malicious actions without needing to phish again. Combined with inbox rules that hide notifications, this strategy lets them operate undetected for longer periods.

Microsoft emphasizes that these attacks don’t exploit a flaw in Workday itself. Instead, they rely on social engineering, the absence of strong phishing-resistant MFA, and careful manipulation of internal systems. In essence, the threat comes from human behavior and insufficient protection, not software bugs.

Attack flow

Microsoft

 

6 ways to stay safe from payroll and phishing scams

Protecting yourself from payroll and phishing scams isn’t complicated. By taking a few careful steps, you can make it much harder for attackers to gain access to your accounts or personal information.

 

1) Limit what personal information is online

The more information scammers can find about you, the easier it is to craft convincing phishing messages. Services that remove or monitor personal data online can reduce exposure, making it harder for attackers to trick you with targeted emails.

While no service can guarantee the complete removal of your data from the internet, a data removal service is really a smart choice. They aren’t cheap, and neither is your privacy. These services do all the work for you by actively monitoring and systematically erasing your personal information from hundreds of websites. It’s what gives me peace of mind and has proven to be the most effective way to erase your personal data from the internet. By limiting the information available, you reduce the risk of scammers cross-referencing data from breaches with information they might find on the dark web, making it harder for them to target you.

Incogni, a service I trust 100% and use myself, helps automate the process by submitting removal requests to hundreds of data brokers and people-search sites on your behalf.

More from CyberGuy
🎙 Now Streaming
Latest CyberGuy Report podcast episode

Watch the latest episode of The CyberGuy Report.

Watch the latest CyberGuy podcast episode on YouTube
Subscribe: Apple | Spotify | YouTube
📱 Free class recording: Lock down your phone

Missed this event? Sign up via the registration form and see our live recording.

🛒 This week’s top Amazon deals

See Kurt’s latest Amazon picks for useful gadgets, smart home upgrades and everyday tech worth grabbing while the deals last.

×

Latest CyberGuy Report podcast episode

Incogni automatically contacts data brokers on your behalf and requests the removal of your personal information. It also continues monitoring those sites and submits new removal requests if your data reappears.

  • Incogni currently removes personal data from 420+ data broker and people-search websites, and its Unlimited plan allows you to request removals from as many additional sites as you need.
  • Incogni has also received third-party assurance from Deloitte, validating its marketing claims.
  • The goal is simple: make it much harder for strangers, scammers, and cybercriminals to find your personal information online.

CyberGuy Exclusive: 60% off

CyberGuy readers get 60% off Incogni’s annual plans using the links in this article.

The service also includes a 30-day money-back guarantee, so you can try it risk-free and see how much of your information is exposed online.

Get Incogni and remove your info
Get Incogni’s Family Plan

   

 

Is your personal information exposed online?

Run a free scan to see if your personal info is compromised. Results arrive by email in about an hour.

 

2) Think before you click

Scammers often send emails that look like they come from your HR department or university leadership, warning about payroll, benefits, or urgent issues. Don’t click links or download attachments unless you are 100% sure they are legitimate. Even small mistakes can give attackers access to your accounts.

The best way to safeguard yourself from malicious links is to have antivirus software installed on all your devices. This protection can also alert you to phishing emails and ransomware scams, keeping your personal information and digital assets safe.

One of the top solutions we recommend is Norton Antivirus Plus, which extends protection beyond just traditional virus scanning. While iPhones have strong built-in security, Norton adds an important extra layer by helping block malicious websites, phishing links, and unsafe downloads before they can cause harm. If you accidentally tap a bad link in an email, text message, or social media post, Norton helps prevent access to known dangerous sites using its continuously updated threat intelligence. If you are interested in a strong antivirus with phone customer service, we recommend Norton Antivirus Plus. This product includes:
  • Strong real-time protection against viruses, malware, ransomware and hacking attempts
  • AI-powered scam protection to help identify suspicious emails, texts and websites
  • Built-in password manager to securely store and manage logins
  • 2 GB PC cloud backup to help protect important files from ransomware or hardware failure
  • Smart firewall and phishing protection
COVERAGE
  • Protects 1, 3 or 5 devices
  • Available for Windows, macOS, Android and iOS
  • Includes real-time threat protection, smart firewall and phishing protection to guard against online attacks
EXCLUSIVE CYBERGUY DEAL: 58% off (year 1) Please note that the above product is the core antivirus product. Norton may try to upsell additional products, but we don’t recommend them. We encourage you to decline those offers.

 

3) Verify directly with the source

If an email mentions salary changes or requires action, call or email the HR office or the person directly using contact information you already know. Phishing emails are designed to create panic and rush decisions, so taking a moment to verify can stop attackers in their tracks.

 

4) Use strong, unique passwords

Never reuse passwords across multiple accounts. Scammers often try to use credentials stolen from other breaches. A password manager can help you generate strong passwords and store them securely, so you don’t have to remember dozens of different combinations.

Next, see if your email has been exposed in past breaches. Our #1 pick, NordPass, includes a built-in breach scanner that checks whether your email address or passwords have appeared in known leaks. If you discover a match, immediately change any reused passwords and secure those accounts with new, unique credentials.

One of the best password managers out there is NordPass. It is secure, user-friendly, and uses zero-knowledge architecture with military-grade XChaCha20 encryption to protect your data. NordPass works across Windows, macOS, Linux, Android, iOS, and major browsers and includes features like:
  • Unlimited password storage
  • Secure sharing
  • Password health reports
  • Auto-fill and emergency access
  • Data breach monitoring to alert you if your credentials have been exposed
  • A Security Dashboard with tools like the Data Breach Scanner and Password Health Checker to identify weak, reused, or compromised passwords
Use NordPass to check if your email or passwords have shown up in known data breaches, and take immediate action if they have.
 
CyberGuy Exclusive Deal: Save 52% now with CyberGuy’s exclusive NordPass offer – Get 1 extra month FREE with a 2-year plan. Try 30 days risk-free for only $1.43 per month!

 

5) Enable two-factor authentication (2FA)

Add an extra layer of security by enabling 2FA on all accounts that support it. This means even if someone steals your password, they still can’t log in without a second verification step, such as a code sent to your phone.

 

6) Regularly check financial and payroll accounts

Even if you follow all precautions, it’s smart to monitor your accounts for any unusual activity. Catching unauthorized transactions quickly can prevent bigger losses and alert you to potential scams before they escalate.

 

Related Links:

 

Kurt’s key takeaway

The Storm-2657 attacks show that cybercriminals are targeting trust, not software. Universities are appealing because payroll systems handle money directly, and staff can be manipulated through well-crafted phishing. The scale and sophistication of these attacks highlight how vulnerable even well-established institutions can be to financially motivated threat actors.

How often do you check your payroll or bank accounts for unusual activity? Let us know in the comments below.

FOR MORE OF MY TECH TIPS & SECURITY ALERTS, SUBSCRIBE TO MY FREE CYBERGUY REPORT NEWSLETTER HERE

 

 

Copyright 2025 CyberGuy.com.  All rights reserved.  CyberGuy.com articles and content may contain affiliate links that earn a commission when purchases are made.

image_printPrint this article

   
 
 
🎙 Now Streaming: My New Podcast: The CyberGuy Report

   


 

Kurt’s Top Deals

Deals move fast and inventory can be limited, so don’t wait too long.

🔥 Editor’s pick
Summer entertaining
Ninja SLUSHi Machine
(26% off)
Frozen drinks and slushies at home in minutes.
 
Patriotic pick
American Flag
(19% off)
Heavyweight outdoor American flag.
💰 Top deal
Outdoor essential
TYPEC Solar Bug Zapper
(36% off)
Solar-powered bug zappers for patios and camping.
 
Car tech
ROVE R3 Dash Cam
(33% off)
Front, rear and cabin camera coverage.

Leave a Comment

Free newsletter

Get my free CyberGuy Report

Get my latest tech news, security alerts, tips and deals delivered straight to your inbox.

No spam. No sharing your email. Ever.

🎁

Bonus: Get my FREE Ultimate Scam Survival Guide instantly when you sign up.

By signing up, you agree to our Terms of Service and Privacy Policy . You may unsubscribe at any time.

Tips to avoid our newsletters going to your junk folder