Beware of payroll-themed phishing. Here’s one example.

Share Now


Last week, the Internet Crime Complaint Center (IC3) published a public service announcement on cybercriminals disseminating payroll-themed phishing emails. These phishing emails, often imitating financial organizations, contain alluring content such as an enticing subject line or use social engineering techniques to convince targets that the email is from a legitimate source.

Cofense Intelligence™ has observed payroll-themed phishing lures requesting targets to view an embedded link or download an attached file. The emails typically deliver credential phishing links or malware that is tasked with stealing the target’s financial and personal credentials.

Recently, Cofense Intelligence analyzed a payroll-themed phish distributing the TrickBot malware, Figure 1. While the phishing lure is simple, it does entice the recipient to view the attached document by using an eye-catching subject line and a “confidentiality notice” to convince targets of its legitimacy.

Figure 1: A payroll-themed phishing email received by Cofense Intelligence

The email has an attached Microsoft Office Excel spreadsheet containing a hostile macro script used to download and run the TrickBot malware on the target’s machine. TrickBot targets multiple financial institutions and intercepts relevant internet traffic and exfiltrates it to the threat actors via the command and control locations. TrickBot can also make use of a large suite of plugins which enable it to inject into web browsers, steal email credentials, and operate as a worm, spreading laterally within a LAN via SMB exploitation.

See anything odd in this email?

While the sender’s address (redacted) was spoofed to look internal, there are still a few things that raise red flags. First, there’s no greeting or introduction. It just launches into the message. Second, given the subject’s importance the message is very bare-bones—a single incomplete sentence not even graced by a verb. Third, if you’re not in Payroll or some other part of Finance, why would you receive this? For most recipients, the context wouldn’t make sense.

It’s important to educate and empower users to recognize and report suspicious emails. The following tips will help your users avoid falling victim:

  • Attackers have the ability to make phishing emails look incredibly enticing. Verify that the email comes from a trusted source.
  • Pay attention to the language of the email and note any grammar mistakes.
  • Stay alert! Social engineering is a common technique used by attackers. Use caution if a suspicious email seems convincing.
  • Avoid re-using passwords.
  • Avoid sharing personally identifiable information (PII) over email.
  • Always make sure to verify if a website is legitimate.
  • If an email does seem suspicious, avoid interacting with the sender and instead report it!

To keep up with the latest phishing and malware developments, sign up for free Cofense Threat Alerts.


All third-party trademarks referenced by Cofense whether in logo form, name form or product form, or otherwise, remain the property of their respective holders, and use of these trademarks in no way indicates any relationship between Cofense and the holders of the trademarks.


We use our own and third-party cookies to enhance your experience by showing you relevant content, personalizing our communications with you, and remembering your preferences when you visit our website. We also use them to improve the overall performance of our site. You can learn more about the cookies and similar technology we use by viewing our privacy policy. By clicking ‘Accept,’ you acknowledge and consent to our use of all cookies on our website.

This site is registered on as a development site.