For years, cybercriminals have focused their efforts on finance systems, corporate networks and IT infrastructure. But this focus has now shifted. Today, it’s not just the servers or firewalls under siege – it’s the people who manage them. More specifically, it’s the HR and payroll professionals sitting at the intersection of people, data and business processes.
Microsoft recently warned of a new wave of so-called “payroll pirates” – attackers who hijack employee accounts to divert salaries, using realistic phishing emails to harvest login details. These aren’t the crude “Nigerian prince” scams of the past. They’re AI-powered, data-driven and disturbingly convincing. And as a result, HR has become their favourite new hunting ground.
The perfect storm for deception
Few other business functions are more exposed to high pressure and fast pace than HR. Whether it’s onboarding new starters, processing payroll changes, or fielding urgent requests from executives, HR teams are constantly managing high-stakes tasks against tight deadlines…and scammers know this. They thrive on urgency, distraction and trust… three things baked into HR’s daily routine.
Imagine receiving a message that appears to come from your finance director, urgently requesting a salary update before payroll closes. The email address looks right. The signature is perfect. Even the tone of voice feels authentic. Under pressure, who would pause to double-check? Increasingly, that’s all it takes for cybercriminals to slip past defences and into systems that hold everything from bank details to National Insurance numbers.
What makes this so deceptive is that HR has become both a target and a conduit. Once attackers compromise a single HR account, they gain access not just to sensitive employee data, but also to the internal workflows that connect to finance, IT, and operations. A single breach can cause ripple effects across an organisation within hours.
Deepfakes, cloned portals and fake candidates
The explosion of generative AI has supercharged this problem. What once took days of research and manual effort can now be executed in minutes. Deepfake audio can recreate an executive’s voice. AI-written messages can mimic internal tone and formatting. Entire job applications, complete with fabricated CVs and LinkedIn profiles can be generated to infiltrate HR systems from within.
In one recent case, scammers used deepfake video calls to impersonate real job candidates, securing remote-working roles to steal intellectual property once inside the network. It may sound like the plot of a spy film, but it’s happening in recruitment teams right now.
Technology isn’t evil in itself, of course. But its misuse is reshaping the threat landscape faster than most organisations can adapt. Criminals don’t need to break through complex security walls when they can simply trick humans to do their dirty work.
The phishing epidemic
Phishing remains the number-one weapon of choice for cybercriminals, and HR is squarely in the firing line.
An estimated 3.4 billion phishing emails are sent every day. Many are generic, but an increasing proportion are tailored to specific departments and roles. HR inboxes are goldmines for this approach because they regularly receive genuine external communications, be it from jobseekers, suppliers, benefits providers, and regulatory bodies. That constant inflow of legitimate mail creates the perfect cover for malicious ones.
These emails don’t always carry obvious red flags. They might reference an open vacancy, an internal policy update, or even a disciplinary procedure. Some include attachments disguised as CVs or references. Others direct recipients to cloned login portals that look indistinguishable from the real HR software they use daily. However, one careless click is all it takes to hand over credentials or download malware capable of logging keystrokes and stealing data silently.
The most alarming aspect is that many HR professionals still see cybersecurity as an IT problem. It isn’t. It’s a peopleproblem. One that exploits human behaviour far more than any technical weakness, as the saying goes, you are only as strong as the weakest link.
A human issue, not a technical one
Technology alone can’t stop a well-crafted phishing email or a convincing voice note. Firewalls don’t feel pressure. Antivirus software doesn’t experience fatigue. People do. That’s why cyber resilience has to be reframed as a shared responsibility that extends well beyond the IT department and becomes everyone’s concern.
HR professionals manage some of the most sensitive information in any business – payroll data, disciplinary records, medical notes, and identification documents. A breach doesn’t just carry financial risk; it damages trust, morale and employer reputation. When employees share their personal data, they assume it will be protected. That trust, once lost, is incredibly difficult to rebuild.
Yet, in many organisations, HR and payroll teams remain under-resourced when it comes to cybersecurity awareness and tooling. Training often stops at “don’t click suspicious links” and “don’t open unsolicited attachments” as if instinct can outsmart a synthetic voice or AI-generated email. Traditional “trust your gut” advice simply doesn’t cut it anymore. Deception has evolved. It has become relentless, and as a result, defences must evolve with it.
The culture shift that’s needed
The most secure organisations aren’t necessarily those with the most advanced software. They’re the ones that treat cybersecurity as a cultural norm rather than a compliance checkbox. Encouraging employees to question unusual requests, even if they appear to come from senior leaders, should be celebrated, not frowned upon.
Similarly, HR teams need the psychological safety to pause, verify and escalate without fear of slowing down business processes. That small moment of hesitation can be the single biggest barrier between an attempted scam and a six-figure data breach.
We live in a business world which is expected to run a mile a minute, but consideration and communication are key. Cyber incidents rarely start with a “big hack”; they begin with a missed email or an unverified request. Fostering collaboration between HR, IT, and compliance allows organisations to address issues proactively, rather than being forced into reactive responses when something goes wrong.
The new frontline of trust
The irony is that HR has always been the department most focused on trust, wellbeing and human connection. Yet that very trust is now what criminals exploit.
As automation and AI continue to reshape work, the lines between authentic and artificial communication will only blur further. HR professionals have now also become the guardians of digital trust.
We’ve already seen high-profile examples outside HR that illustrate what’s at stake. A UK energy firm was tricked into transferring €220,000 after a fraudster used AI to clone the voice of its CEO. The same techniques are now being repurposed for payroll, recruitment and employee data theft – often with far less media coverage but equally damaging consequences.
The new reality
As we move into an era where AI can mimic voices, faces and writing styles with near-perfect accuracy, the old rules no longer apply. Gut instinct is unreliable. Verification is essential. And HR, once seen as an administrative back office, has become the new frontline in the fight against digital deception.
The Autumn Budget may bring funding for innovation and productivity for businesses, but unless organisations also invest in the human side of security, we’ll continue to see breaches that start not with malicious code, but with an ordinary email on a busy Tuesday morning.
Because in the end, cybersecurity isn’t about technology. It’s about people and the people who protect them.
Sarah Griffiths is a seasoned compliance and data protection professional. Her current role is Compliance Manager and Data Protection Officer at Cezanne HR, where she has spent the past three years ensuring robust governance and adherence to information security standards.
Sarah has a strong background in customer service and IT operations from her time at Agilico Systems, and earlier experience in business development at Ecolution Group, Sarah brings a broad operational perspective to her compliance role. She is a Certified Data Protection Officer (PECB) and holds an ISO 27001 Lead Implementer certification from BSI, reflecting her expertise in managing data protection frameworks and information security compliance.
