Anatomy of an Attack: The Payroll Pirates and the Power of Social Engineering

Unit 42 investigated a payroll diversion caused by social engineering: attackers impersonated employees, manipulated payroll/HR/IT help desks to reset passwords and re-enroll MFA, then changed direct-deposit details to steal paychecks (impact limited to three accounts). The response contained the compromise, reversed fraudulent changes, and produced recommendations to strengthen help-desk verification, MFA enforcement, logging, and identity governance; the engagement also uncovered a separate, persistent WannaCry presence in the client’s OT environment.