Phishing Scams Targeting Universities on the Rise

Phishing scams are becoming a serious issue, affecting a wide range of institutions including hospitals, tech companies, and fast food outlets. However, universities seem to be particularly hard-hit, especially in this year. A new type of cybercrime has emerged: “pirate payroll” attacks. These attacks focus on taking control of payroll systems, with a hacking group named Storm-2657 leading the charge since March 2025. Let’s explore how these attacks operate and what steps can be taken to safeguard against them.

Understanding University Payroll Fraud

According to insights from Microsoft Threat Intelligence, Storm-2657 predominantly targets Workday, a common HR software. But other payroll systems might be at risk too. The attackers craft convincing phishing emails aimed at individual staff members. Some emails create a false sense of urgency, claiming a contagious illness is affecting the campus, while others suggest faculty members are under investigation, prompting quick action. Occasionally, the emails seem to come from university administrators, offering “important” updates regarding pay and benefits.

These phishing emails usually contain links designed to capture login details, including multi-factor authentication (MFA) codes through techniques like man-in-the-middle attacks. Once a staff member enters their information, the hacker gains access to the account as if they were a legitimate user. Following this, they can set up inbox rules to hide Workday notifications, allowing them to change payroll settings and reroute funds without arousing suspicion.

A Broad Assault on Multiple Accounts

Interestingly, hackers often don’t stop with just one account. After gaining access to a single mailbox, they expand their attack. Storm-2657 reportedly sent phishing emails to around 6,000 addresses across 25 universities utilizing just 11 compromised accounts from three institutions. Using a trusted internal account significantly boosts the chances of success for the phishing attempt.

In a strategic move, attackers may register their own phone number for MFA, granting them long-term access without having to fish for details again. This method combined with rules that hide notifications allows them to operate unnoticed for extended periods.

Microsoft notes that these scams do not exploit flaws within Workday itself. Rather, they hinge on social engineering tactics, inadequate MFA defenses, and manipulation of internal systems. Essentially, the weaknesses lie in human behavior and insufficient security measures, rather than any software bugs.

How to Safeguard Against Payroll and Phishing Scams

Keeping yourself safe from payroll fraud and phishing does not have to be overly complex. Implementing a few strategies can greatly reduce the likelihood of attackers breaching your accounts.

1) Limit Personal Information Online

The less information that scammers can gather about you, the harder it is for them to create credible phishing messages. Consider using a service to monitor or delete your personal data online, which can significantly lessen your exposure. While no service offers a full guarantee, actively managing your digital footprints can help keep scammers at bay.

2) Be Cautious with Clicks

Phishing emails may appear to come from trusted sources like HR or university officials. Avoid clicking on links or downloading attachments unless you are entirely confident in their legitimacy. A brief lapse in judgment can grant attackers entry into your accounts. Installing antivirus software on your devices can help ward off malicious links and scams.

3) Verify with the Source

If an email suggests a pay change or any required action, it’s wise to confirm directly with HR using contact information you already possess. Phishing attempts often create a sense of panic that urges quick decisions, which a moment of scrutiny can defuse.

4) Use Strong, Unique Passwords

Avoid reusing passwords for different accounts, as attackers frequently attempt to use stolen credentials from breaches. A password manager can help generate and securely store strong passwords, making it less cumbersome for you to remember different combinations.

5) Enable Two-Factor Authentication (2FA)

Activating 2FA for all accounts that support it adds an essential layer of protection. Even if someone steals your password, they can’t access your account without a second authentication step, such as a code sent to your phone.

6) Regularly Check Financial Accounts

Even with precautions in place, monitoring your accounts for unusual activity is crucial. Quickly identifying fraudulent transactions can help prevent greater losses and alert you to potential fraud before it becomes a major issue.

Conclusion

The Storm-2657 incidents illustrate that cybercriminals are increasingly targeting trust rather than specific software vulnerabilities. Universities, with their direct handling of payroll, are becoming prime targets due to their susceptible systems and the manipulative tactics used by attackers. This situation raises a significant concern regarding the depth of vulnerability that well-established organizations face against financially motivated cyber threats.