Explore how digital innovation is transforming Welsh communities and empowering future-ready public services
Blog |

Payroll cyber incident: a roadmap of stronger security for your help desk and systems

Authors and contributors: Diana Rebaza
Illustration of a hacker in a dark room working on his laptop

Cyber security threats don’t just target big corporations. They strike local authorities, schools, and any organisation managing sensitive data.

A recent incident, involving compromised school staff accounts and payroll fraud, highlights just how attackers exploit weak links. And illustrates what steps we must take to keep our systems and people safe.

This is a real attack. We’ve anonymised it in order to share the experience and most importantly how people handled it and what they’ve learned. And what you can do to double check that your systems aren’t also at risk in the same way.

Members, you can log in to access all the detail you need to check and secure your own systems.

Discovering the incident

Some background

Local authorities operate payroll services not only for themselves but for employees in partner organisations, such as schools. These systems offer a self-service portal so staff can view payslips and update personal information – bank details, for instance.

In the case we’re focusing on here:

To access these self-service portals, external staff (in schools and so on) are authenticated using Entra ID B2B accounts linked to their work email addresses. With Multi-Factor Authentication (MFA) strictly enforced on the local authority side.

Reporting a problem to payroll

This incident began when a local school contacted their payroll team, reporting that two teachers hadn’t received their salary. Investigations by the team showed that the payments had been processed as usual. However, conversations with the school revealed both teachers’ school email accounts had been hacked. Further checks showed their payroll bank details had been changed and salaries were paid to an unknown account. Money that was now lost.

Figuring out what happened and how

The payroll support and help desk teams were able to work out what had taken place and where a vulnerability had been created and exploited.

The starting point

The school had deliberately chosen not to use MFA on its email accounts – even though it was in place for the self-service portal. Citing classroom phone bans in place for safeguarding policies.

Vulnerability found

Attackers compromised two email accounts via a password spray attack, with the users themselves being unaware of the breach – potentially meaning access was gained weeks before the fraud. From one of the compromised accounts, the attacker requested to change the EntraID email to the school’s own address (which was already breached). The attacker then asked payroll support to reset the self-service portal password and MFA credentials.

Vulnerability used

Payroll support followed the process: verifying the name, date of birth, NI number, and place of work. All information the attacker found in the compromised account’s sent emails. Once the self-service portal reset instructions were sent to the compromised account, the attacker changed the password, reset MFA, and updated the bank details to a Monzo account.

Fraud

On the next payroll run, salaries were paid into the attacker’s account. The loss was only discovered when the teachers noticed missing pay.

The immediate response

The help desk:

  1. Locked both of the compromised self-service portal Entra ID accounts.
  2. Instructed the school to change passwords and implement stronger password policies for their email system.
  3. Advised the school to contact their ISP and urgently implement MFA for all email accounts.
  4. Told the school that any passwords not meeting the stronger policies had to be reset.
  5. Reported the incident to Action Fraud and relevant information governance teams.

Changes made and underway

Illustration showing an oversized laptop with documents coming out of the screen
  • The payroll help desk now requires more – and periodically changing – verification details for credential resets: reducing the risk of replay attacks using previously leaked information.
  • Consideration is being given to confirming sensitive changes (like email or bank details) by phone, though maintaining updated contact information for thousands of payees is a challenge.
  • All support areas managing Entra ID accounts have been reminded to robustly verify reset requests.
  • Guidance to all schools has been updated, emphasising the importance of MFA and practical alternatives (such as hardware tokens) when phones aren’t allowed.
  • They are exploring whether to restrict payroll payments to certain banks (like Monzo, which has a reputation for weaker account verification). And whether to suspend the self-service bank detail change feature in OCS, possibly shifting to a verified phone-based process for such changes.
  • Assessing whether third-party identity vendors offer stronger protections than the current Entra ID setup.

Lessons learned and call to action

  1. Operational convenience must never outweigh security.
    The lack of MFA on school email accounts was a critical factor in this attack.
  2. Attackers will use previous communications.
    Hackers exploit sensitive data contained in sent emails.
  3. Vulnerability is often highest where budgets and IT expertise are lowest.
    Primary schools, in particular, need more support and practical guidance.
  4. Verification processes should be dynamic and multi-layered.
    Out-of-band checks and regular updates to verification procedures are essential.
  5. Effective incident response requires rapid action and clear escalation paths.
    Knowing who to contact and what to do can limit damage.

This incident demonstrates a clear and present danger. Attackers are actively targeting help desks and exploiting compromised accounts with social engineering. The financial and reputational harm is real and immediate.

Every help desk and partner organisation must review and strengthen identity verification, enhance staff training, and enforce robust security practices like MFA. Regardless of operational inconvenience. Investing in upstream defences protects critical data, staff well-being, and the public trust.

Let this be a wake-up call for all of us handling sensitive data: vigilance, robust processes, and a culture of security awareness are our first, and best, lines of defence.

Never underestimate social engineering

Attackers frequently create a sense of urgency to pressure the help desk agent, and bypass standard verification procedures. Any request that demands immediate action or comes from a user requesting help after returning from vacation or claiming a P1 system outage needs extra scrutiny.

The incident highlights the risk when partners, paid through their local authority system, do not use MFA for their own email accounts. It makes them so much easier for attackers to compromise.

While challenging issues such as phone bans in classrooms, encourage and assist these organisations in implementing MFA for critical systems like email. It’s a vital first layer of protection against broader security threats .

People

The human element is central to both vulnerabilities and solutions in credential theft. This must be balanced against the perceived financial losses that could occur if there is a failure to act. As well as understanding the reduction in harm to staff and the organisation through prevention.

Preventing attacks can mitigate staff anxiety, distress, and potential sickness arising from personal financial loss or the guilt felt by people who, through no fault of their own, became victims of crime. Treating affected individuals with understanding and kindness is vital. They are victims, not perpetrators.

Guidance for preventing credential theft

Socitm infographics - Preventing credential theft, 5 key points for school leaders and help desk staff

We’ve identified five key priorities every school and local authority help desk should address. From identity verification best practices to clear escalation procedures, these steps can make the difference between stopping an attack and enabling one. All designed to reduce risk, protect users, and meet governance expectations.

Log in to view the following resources.

For help desk staff:

For school leaders:

Conference attendees chatting during President's Conference 2023

Start creating positive, lasting changes in the place you live and work

Get your membership

Supercharge yourself and your organisation

Join the Socitm DDaT local public services community! We’re a friendly and energetic group of people (the Socitm team and our members), focused on doing our best for our communities.

  • Tap into our network of professionals to solve issues, find solutions and share best practice.
  • Ignite individual growth throughout your organisation with our essential, CPD-certified training.
  • Access practical resources to drive your decision making and avoid reinventing the wheel.