In 2025, phishing scams have become an increasingly serious threat across a wide range of institutions, and educational organizations are no exception. Universities in the United States are now facing a sophisticated wave of cyberattacks aimed specifically at hijacking payroll payments. Since March 2025, a hacking group known as Storm-2657 has been orchestrating what researchers call “pirate payroll” attacks. These attacks use advanced phishing tactics to infiltrate payroll accounts, allowing cybercriminals to redirect salary payments to themselves. This emerging threat underscores the growing complexity of cybercrime and highlights the urgent need for improved security awareness and protective measures within academic institutions.
Storm-2657 primarily targets Workday, one of the most widely used human resources and payroll platforms in the education sector. However, other payroll and HR software systems could also be vulnerable. The attackers begin their campaign by sending highly convincing phishing emails to university staff members. These emails are carefully crafted to appear legitimate and often exploit timely or sensitive topics to create a sense of urgency. For example, some phishing messages warn of a sudden illness outbreak on campus, prompting recipients to click quickly without thinking. Others falsely claim that a faculty member is under investigation, encouraging staff to review attached documents immediately. The attackers even impersonate high-level officials such as university presidents or HR department representatives, sending bogus notifications about compensation changes or benefits updates.
What makes these phishing emails particularly dangerous is their use of real-time credential theft techniques. The emails contain links that capture both login credentials and multi-factor authentication (MFA) codes through “adversary-in-the-middle” attacks. This means that when a victim enters their username, password, and MFA code, the hackers intercept this information instantly and gain full access to the account as if they were the legitimate user. Once inside, the attackers set up inbox rules designed to delete any notifications from Workday, such as alerts about payroll changes. This stealth measure prevents victims from realizing their accounts have been compromised, allowing the hackers to make unauthorized modifications quietly.
After successfully infiltrating a payroll account, Storm-2657 manipulates salary payment settings to redirect funds to bank accounts under their control. But their attacks don’t stop with just one compromised account. Microsoft Threat Intelligence reports that from only 11 compromised mailboxes at three different universities, Storm-2657 was able to send phishing emails to nearly 6,000 email addresses across 25 institutions. By using hijacked internal accounts to send these emails, the attackers increase the legitimacy of their messages, making it more likely that recipients will fall victim to the scam. This internal spread of the attack demonstrates how quickly such threats can escalate and impact a wide network of organizations.
To maintain continued access to compromised accounts, the hackers often enroll their own phone numbers as MFA devices through platforms like Workday or Duo MFA. This step allows them to approve login attempts and other actions without having to phish for credentials repeatedly. Combined with the hidden inbox rules, this approach enables attackers to operate undetected for extended periods, increasing the potential financial damage. Notably, these attacks do not exploit technical vulnerabilities in the Workday software itself. Instead, they rely heavily on social engineering tactics, exploiting human behavior and the lack of phishing-resistant MFA methods. The core issue is insufficient security awareness and inadequate protective measures rather than software flaws.
Given this evolving threat landscape, protecting oneself from payroll phishing scams requires vigilance and proactive security practices. One of the first steps individuals can take is to reduce the amount of personal information available online. Hackers use publicly accessible data to craft highly targeted phishing messages, so limiting your digital footprint makes it harder for attackers to impersonate you convincingly. Data removal services can help monitor and erase personal information that appears across hundreds of websites, including the dark web. Although these services come at a cost, many cybersecurity experts consider them a worthwhile investment in privacy and protection.
When it comes to dealing with suspicious emails, the best defense is caution. Emails that claim to be from your HR department or university leadership—especially those referencing payroll, benefits, or urgent issues—should be treated with skepticism. Never click on links or download attachments unless you have verified their authenticity through a known contact method, such as calling the HR office directly or sending an email to a previously confirmed address. Cybercriminals often design phishing emails to provoke panic or urgent action, so taking a moment to confirm the information can prevent costly mistakes.
Installing reputable antivirus software on all your devices is another critical layer of defense. Modern antivirus