US Universities Hit by Sophisticated Payroll Phishing Scam
A sophisticated phishing campaign is targeting US university staff in a coordinated payroll hijacking scheme. Since March 2025, hacking group Storm-2657 has compromised payroll accounts to redirect salary payments to accounts they control.
Key Takeaways
- Hackers use convincing phishing emails mimicking campus alerts and HR updates
- Attackers have targeted 25 institutions, sending 6,000 phishing emails
- Storm-2657 primarily targets Workday but other HR platforms are vulnerable
- Attackers use compromised accounts to spread further phishing attempts
How the University Payroll Scam Works
According to Microsoft Threat Intelligence, Storm-2657 primarily targets Workday, though other payroll and HR software could be at risk. The attackers begin with highly convincing phishing emails crafted to appeal to individual staff members.
Some messages warn of sudden campus illness outbreaks, creating urgency, while others claim faculty members are under investigation. Some emails impersonate university presidents or HR departments, sharing “important” updates about compensation and benefits.
These emails contain links that capture login credentials and multi-factor authentication codes using adversary-in-the-middle techniques. Once staff enter their information, attackers gain full account access.
After gaining control, hackers set up inbox rules to delete Workday notifications, preventing victims from seeing alerts about changes. This allows attackers to modify payroll profiles, adjust salary settings, and redirect funds without raising immediate suspicion.
Attackers Exploit Universities at Scale
The hackers don’t stop at single accounts. Microsoft reports that from just 11 compromised accounts at three universities, Storm-2657 sent phishing emails to nearly 6,000 email addresses across 25 institutions.
By using trusted internal accounts, their emails appear more legitimate, increasing success rates. Attackers sometimes enroll their own phone numbers as MFA devices through Workday profiles or Duo MFA, giving them persistent access without needing to phish again.
Microsoft emphasizes these attacks exploit human behavior rather than software flaws. The threat comes from social engineering, absence of strong phishing-resistant MFA, and insufficient protection measures.
6 Ways to Protect Against Payroll Phishing Scams
1. Limit Personal Information Online
Reduce your digital footprint to make targeted phishing attempts harder. The less information scammers can find, the less convincing their messages will be.
2. Think Before Clicking
Scammers send emails appearing from HR or university leadership about payroll or urgent issues. Never click links or download attachments unless completely certain of their legitimacy.
3. Verify Directly with Source
If an email mentions salary changes requiring action, contact HR using known contact information. Phishing emails create panic to rush decisions – verification can stop attackers.
4. Use Strong, Unique Passwords
Never reuse passwords across accounts. Scammers often use credentials stolen from other breaches. can generate and store secure passwords.
5. Enable Two-Factor Authentication
Add extra security with 2FA on all supported accounts. Even with stolen passwords, attackers cannot login without the second verification step.
6. Regularly Monitor Accounts
Check payroll and financial accounts frequently for unusual activity. Early detection prevents larger losses and alerts to potential scams.
Key Insight
The Storm-2657 attacks demonstrate that cybercriminals target trust rather than software. Universities are vulnerable because payroll systems handle direct payments, and staff can be manipulated through well-crafted phishing. The scale highlights how established institutions remain vulnerable to financially motivated threat actors.
