{"id":212507,"date":"2026-02-11T08:00:00","date_gmt":"2026-02-11T13:00:00","guid":{"rendered":"https:\/\/news-you-need.com\/index.php\/2026\/02\/11\/payroll-pirates-conned-the-help-desk-stole-employees-pay-the-register\/"},"modified":"2026-02-12T01:15:11","modified_gmt":"2026-02-12T06:15:11","slug":"payroll-pirates-conned-the-help-desk-stole-employees-pay-the-register","status":"publish","type":"post","link":"https:\/\/news-you-need.com\/index.php\/2026\/02\/11\/payroll-pirates-conned-the-help-desk-stole-employees-pay-the-register\/","title":{"rendered":"Payroll pirates conned the help desk, stole employee\u2019s pay \u2022 The Register"},"content":{"rendered":"<p><a href=\"https:\/\/www.theregister.com\/2026\/02\/11\/payroll_pirates_business_social_engineering\/\">Payroll pirates conned the help desk, stole employee\u2019s pay \u2022 The Register<\/a><\/p>\n<p><a href=\"https:\/\/www.theregister.com\/2026\/02\/11\/payroll_pirates_business_social_engineering\/\">https:\/\/www.theregister.com\/2026\/02\/11\/payroll_pirates_business_social_engineering\/<\/a><\/p>\n<p>Publish Date: <a href=\"publish_date]\">2026-02-11 08:00:00<\/a><\/p>\n<p>Source Domain: <a href=\"www.theregister.com\">www.theregister.com<\/a><\/p>\n<p><span class=\"label\">Exclusive<\/span> When fraudsters go after people&#8217;s paychecks, &#8220;every employee on earth becomes a target,&#8221; according to Binary Defense security sleuth John Dwyer.<\/p>\n<p>In December 2025, managed detection and response outfit Binary Defense&#8217;s threat research group ARC Labs investigated a security incident in which a thief redirected a physician&#8217;s salary into their own account using a very simple attack that started with a help-desk call.<\/p>\n<p>&#8220;This was a combination of exploiting people and processes rather than technology,&#8221; Dwyer, the deputy CTO and head of Arc Labs, told The Register in an exclusive interview. &#8220;It&#8217;s technology-adjacent. This was identity theft from pure-play social engineering into exploiting a weaker-than-advised process internally to gain access.&#8221;<\/p>\n<p>In a report shared exclusively with The Register, Dwyer and co-authors Danny Dubree and Eric Gonzalez detailed how the attacker used compromised credentials belonging to a shared mailbox at a healthcare facility. Binary Defenses\u2019 incident responders can&#8217;t say for certain how the attacker obtained the credentials. Dwyer said his team found no evidence of phishing and assumes the miscreant obtained the email login info from an earlier breach.<\/p>\n<p>Once the attackers gained access to the mailbox, they snooped around and determined whose identity to assume when calling the help desk to request a password and multi-factor authentication (MFA) reset.<\/p>\n<p>In this case, the attacker pretended to be a physician locked out of their account and thus unable to treat patients.<\/p>\n<p>&#8220;The call basically went that this person can&#8217;t log into their account, they have patients they need to see right now, they need to get immediate access,&#8221; Dwyer said. The fake physician&#8217;s name and access-level checked out, so the help desk employee reset the password and MFA token. This gave the attacker access to&#8230;<\/p>\n<p><a href=\"https:\/\/www.theregister.com\/2026\/02\/11\/payroll_pirates_business_social_engineering\/\">Source<\/a><\/p>\n","protected":false},"excerpt":{"rendered":"<p>Payroll pirates conned the help desk, stole employee\u2019s pay \u2022 The Register https:\/\/www.theregister.com\/2026\/02\/11\/payroll_pirates_business_social_engineering\/ Publish Date:&#8230;<\/p>\n","protected":false},"author":1,"featured_media":212508,"comment_status":"closed","ping_status":"","sticky":false,"template":"","format":"standard","meta":{"fifu_image_url":"https:\/\/regmedia.co.uk\/2022\/08\/09\/pirate_eye_patch_shutterstock.jpg","fifu_image_alt":"","footnotes":""},"categories":[15],"tags":[30,25],"class_list":["post-212507","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-cybersecurity","tag-breach","tag-phishing"],"_links":{"self":[{"href":"https:\/\/news-you-need.com\/index.php\/wp-json\/wp\/v2\/posts\/212507"}],"collection":[{"href":"https:\/\/news-you-need.com\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/news-you-need.com\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/news-you-need.com\/index.php\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/news-you-need.com\/index.php\/wp-json\/wp\/v2\/comments?post=212507"}],"version-history":[{"count":1,"href":"https:\/\/news-you-need.com\/index.php\/wp-json\/wp\/v2\/posts\/212507\/revisions"}],"predecessor-version":[{"id":212509,"href":"https:\/\/news-you-need.com\/index.php\/wp-json\/wp\/v2\/posts\/212507\/revisions\/212509"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/news-you-need.com\/index.php\/wp-json\/wp\/v2\/media\/212508"}],"wp:attachment":[{"href":"https:\/\/news-you-need.com\/index.php\/wp-json\/wp\/v2\/media?parent=212507"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/news-you-need.com\/index.php\/wp-json\/wp\/v2\/categories?post=212507"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/news-you-need.com\/index.php\/wp-json\/wp\/v2\/tags?post=212507"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}