Is your higher education institution at risk from payroll fraud? Here’s what to know and how to prepare.

More higher education institutions are reporting incidents of payroll fraud. And the damage often goes beyond just financial, with your reputation and employee morale also at risk.

Is your institution at risk? Keep reading to find out — and learn how to strengthen your cybersecurity to protect against an attack.

How common is payroll fraud in higher education?

Leaders at colleges, universities and other higher education institutions are typically hesitant to speak publicly about any payroll fraud or other cybersecurity incidents they have experienced. That makes hard data difficult to come by.

This doesn’t mean these incidents don’t happen. In fact, 2025 saw a major payroll fraud attack by a group known as Storm-2657.

• During this attack, members of the group gained access to 11 separate user accounts at three different universities.
• They then used that access to send phishing emails to roughly 6,000 employees at dozens of other universities, dramatically increasing the scope of risk.
• This attack made enough of a ripple that Microsoft felt compelled to publish a blog post on how it was responding to the problem. Other similar attacks have also been documented.
• Of the 500 employees who received one specific email sent during the Storm-2657 attack, only 10% reported it as a phishing attempt.

How does payroll fraud typically occur in higher education?

Payroll fraud can be carried out by employees within an organization. But most recently reported higher education payroll fraud has come via an external cyberattack, typically a phishing scam.

Here’s how it usually works: You get a phishing email with a link. When you click on the link, hackers use it to gain access to your email. They then change your setting to automatically delete emails coming from your HR system, use your credentials to access your HR system and change the bank account for your direct deposit.

You won’t even notice anything is wrong — until payday, when your paycheck doesn’t show up.

What kind of damage does a typical payroll fraud incident cause at a higher education institution?

Payroll fraud within a higher education institution can lead to financial, operational and reputational damages. Your employees may also experience significant frustration if their personal finances are affected as a result of a fraud incident.

• Financial damage: Exact dollar amounts are typically not reported. However, the Association of Certified Fraud Examiners (ACFE) has estimated that median losses per fraud incident (across all types, not just payroll) are approximately $50,000. Other ACFE data suggests some fraud incidents can reach financial losses as high as $1 million.
• Operational damage: Your systems may experience significant downtime as you work to recover from a successful payroll fraud incident, especially if it involves a cyberattack.
• Reputational damage: Your reputation can be affected by a successful fraud incident, with donors potentially less likely to feel comfortable giving to your institution.
• Damaged morale: Employees who miss paychecks as a result of an attack will understandably be frustrated and may even experience significant personal consequences should they have to delay paying bills.

How should higher education leaders improve cybersecurity to prevent payroll fraud?

CFOs and CIOs at universities and other higher education institutions should actively strengthen their cybersecurity posture to prevent payroll fraud and other phishing-related attacks. Key steps include doing a cybersecurity audit, implementing phishing training, deploying multifactor identification (MFA) and putting additional security controls in place.

1. Do a cybersecurity audit

Bring in a third-party cybersecurity advisor to assess your current controls and cybersecurity defenses. This will help you identify any gaps in your systems that need to be filled in to better protect your institution from a fraud incident or attack.

2. Implement MFA

If your institution doesn’t already have MFA in place, you need to do that immediately. Rather than receiving an MFA code via text or email, the most effective form involves using an authenticator app or a passkey, which will make it dramatically harder for a phishing attack to compromise your systems.

3. Provide regular phishing training

Your whole team needs to receive regular phishing training. This can’t just happen once a year, either. It should be frequent enough to keep phishing scams top of mind for all your team members, so that if they do receive a phishing email, they will be less likely to click through and more likely to report it.

4. Consider additional controls

Consider whether you need to implement additional controls to prevent payroll fraud. For example, this could include something as simple as ensuring that when an employee’s user account makes a payroll-related change, an HR team member gets an email about the change. Or it could also mean requiring any changes to an employee’s direct deposit account to be done in person or be requested over a video call.

5. Conduct ongoing network monitoring

Monitor your network for potential threats continuously. This includes tracking unusual sign-in locations and looking for other anomalies that may indicate a hacker is trying to gain access to your systems.

How Wipfli can help

We advise organizations about how to protect against cybersecurity attacks and fraud. Let’s talk about how we can strengthen your defenses to safeguard your team, assets and reputation. Start a conversation.

Read more

• Cybersecurity is a major financial risk for your organization
• Boosting cybersecurity in schools after PowerSchool data breach
• Cybersecurity strategies for mid-market leaders