Most readers will probably be familiar with the mythical story of bank robber Willie Sutton who, after being nailed by the cops, was asked why he robbed the bank. His answer (undoubtedly delivered in the most deadpan voice one can imagine): “Because that’s where the money is.”

Although criminals have gone high tech since the days of that old fashioned, pistol-packing bank robber, their motivations remain essentially unchanged. Over the past month or so we’ve been reminded of that very basic truth while watching the surge in phishing emails targeting payroll operations.

Why target payroll? Because that’s where the money is. These phishes, which are almost all examples of CEO fraud, take several different forms:

New Pay Stub Phishing Strain

A new strain of payroll phishes that has surfaced over the past few months involves phishing emails requesting copies of pay stubs and wage statements. Both are year-round social engineering attacks that expand on the W-2 phishing campaigns which erupt at tax season.

paystub_requestVery familiar with the ways in which this kind of confidential employee data can be exploited for fraud, some malicious actors are now turning to phishing attacks targeting the same kind of data, but now during the whole year.

These malicious emails are simple, direct, and dispense with any attempt to construct believable back-stories or pretexts for the request. In short, they invite an unthinking, reflexive response from targeted users. These emails seem designed to “fly under the radar” and not attract undue attention.

These phishes spoof presidents, CEOs, and other C-level executives within targeted organizations. Moreover, these phishes almost unfailingly seem to land in the inboxes of employees whose work involves payroll processing.

Pay stubs typically contain much the same kinds of data that can also be found on W-2 statements, which means that they can be exploited for identity theft and other forms of financial fraud. Given that the requested pay stubs are for senior executives, the bad guys are clearly calculating that the high value of the target more than makes up for the low volume of data requested.

Payroll Updates

Not content to nibble around the edges with fraudulent schemes based on purloined payroll data, some malicious actors have elected to go straight for the money with spoofed requests to change the bank accounts used to deposit the paychecks of CEOs, presidents, and other senior executives within targeted organizations.

Consider this rather simple email, which requests that employees in the payroll department of the targeted organization change the direct deposit information for a senior employee in the company:


Over the past month we have seen hundreds of these phishes, all almost identically worded. Unfortunately, many of the targeted payroll employees have proven all too eager to respond to these requests, offering various forms of assistance.

Some employees respond by pointing the bad guys to online payroll services where they could presumably make the requested change themselves — had they the login credentials to do so, of course.

Other employees helpfully request a voided check so that they can make the requested changes immediately without any further effort on the part of the bad guys.

Both of these responses have typically stymied the bad guys. These would-be fraud artists either don’t have the required login credentials for the online payroll service (if they had the credentials, they already would have made the changes themselves, thank you) or they lack a cancelled check for the account they wish to start receiving direct deposits. Their usual response is to plead some form of inability to access the payroll service (a not particularly convincing excuse) or to claim that their checkbooks have mysteriously taken a walk.