Direct deposit fraud exposes the campus identity trust gap

At a glance

What this is: This is an analysis of direct deposit fraud in universities, showing that credential-only trust lets attackers quietly redirect payroll and refund payments.

Why it matters: It matters because IAM, IGA, and fraud-prevention teams need stronger step-up verification when financial or account changes are made, especially where human identities control high-impact payouts.

By the numbers:

• Only 44% of developers are reported to follow security best practices for secrets management, exposing a significant developer behaviour gap.
• When AWS credentials are exposed publicly, attackers attempt access within an average of 17 minutes and as quickly as 9 minutes in some cases.

👉 Read 1Kosmos's analysis of direct deposit fraud and campus identity checks

Context

Direct deposit fraud is a human identity abuse pattern, not a systems outage. The attacker does not need to break payroll infrastructure if the portal accepts a password as proof that the person behind the screen is the rightful account owner.

Universities are unusually exposed because they combine high transaction volume, frequent onboarding, and self-service account maintenance across disconnected HR, payroll, and bursar systems. That combination creates a wide fraud surface where credential compromise can be converted into financial diversion with little resistance.

In this environment, the core governance problem is identity assurance at the point of change. The article's starting position is typical for large institutions with decentralized administration and low-friction self-service controls.

Key questions

Q: How should universities stop direct deposit fraud when credentials are stolen?

A: Universities should require step-up identity verification at the point where bank details change, not only at login. That means stronger proof of personhood, account ownership checks, and contextual risk scoring before any payroll or refund reroute is approved. Passwords alone are not enough once credentials can be phished or reused.

Q: Why do self-service payroll portals create fraud risk?

A: Self-service portals create fraud risk when they treat session access as authority to change payment destinations. If an attacker steals valid credentials, they can often update direct deposit details without malware or alerting defenders. The weaker the verification at the change event, the easier it is to convert access into financial loss.

Q: What do institutions get wrong about direct deposit changes?

A: They often treat bank-detail updates as administrative tasks instead of high-risk identity events. That mindset misses the core threat, which is that a financial instruction can be issued by an impersonator who only needs a compromised login. Strong governance requires re-verification, recipient validation, and context-aware controls.

Q: Who is accountable when payroll fraud succeeds through a compromised account?

A: Accountability usually spans IAM, payroll operations, and the business owner of the payout process. If the institution does not define ownership for bank-detail changes, the gap between identity control and payment control becomes the attacker's advantage. Clear control ownership and audit trails are essential for review and remediation.

Technical breakdown

Credential compromise becomes account takeover

The fraud chain begins when an attacker obtains valid login credentials through phishing, password reuse, or stolen sessions. Once authenticated, the attacker is no longer behaving like an external intruder to the payroll or student portal. They are acting as a legitimate user from the system's perspective, which is why weak authentication alone is not enough to protect payout workflows. The technical issue is that identity proof at sign-in is decoupled from proof at the moment of financial change. Practical implication: step-up checks must be bound to the sensitive transaction, not just the initial session.

Practical implication: require stronger identity verification when a user changes bank details, not only when they log in.

Self-service portals turn access into financial diversion

Direct deposit change flows are especially attractive because they are fast, low visibility, and often designed for convenience. If the portal allows a user to update banking information without out-of-band confirmation, the control plane is effectively trusting session possession as authority to move money. That is an identity governance failure, not a payroll failure. The portal is acting on an unverified assertion that the person making the request is the account owner and that the destination account is legitimate. Practical implication: secure change workflows must validate both the person and the receiving account.

Practical implication: add independent verification of the person and the destination account before any payout detail change is accepted.

Disconnected systems widen the fraud window

Universities often split authority across HR, payroll, bursar, and benefits systems. When those systems do not share a common risk engine, a change in one place may not trigger review elsewhere. That fragmentation creates a governance gap: the institution can know a user exists without knowing whether the user, device, context, and destination account are trustworthy at the moment of payment rerouting. Fraudsters exploit the gap by moving quickly after compromise, before manual review catches up. Practical implication: coordinate identity signals across systems so payout changes are scored consistently.

Practical implication: unify identity and risk signals across HR, payroll, and student finance workflows before approving payout changes.

Threat narrative

Attacker objective: The attacker aims to divert scheduled payroll or refund payments into an account they control before the victim notices.

1. Entry occurs through phishing or stolen credentials that let the attacker authenticate as a student, faculty member, or worker.
2. Escalation happens when the attacker uses the valid session to reach payroll or self-service payment settings and replace the legitimate bank account with a mule account.
3. Impact follows when the next paycheck, stipend, or refund is sent to the attacker-controlled account, creating direct financial loss and downstream remediation costs.

Breaches seen in the wild

• MongoBleed breach — MongoBleed exposed secrets across 87K MongoDB servers.
• Shai Hulud npm malware campaign — Shai Hulud campaign: npm malware exposed secrets on GitHub.

Read our 52 NHI Breaches Analysis report for a comprehensive view of breaches impacting Non-Human Identities including AI Agents.

NHI Mgmt Group analysis

Credential possession is not identity ownership: This fraud works because too many institutions still treat password success as proof of rightful account control. That assumption was designed for low-risk access, not for changing where money is sent. Once credentials are compromised, the institution has no assurance that the actor making the request is the genuine account owner. The implication is that payout changes need stronger identity assurance than sign-in alone can provide.

Direct deposit changes are a privileged identity action: A bank account update is not routine self-service. It is a high-impact financial instruction that should be governed like a privilege escalation event because the consequence is immediate money movement. Universities that leave this inside ordinary account maintenance create an attack path that is cheap for fraudsters and expensive to unwind. Practitioners should classify payout changes as a high-risk identity workflow.

Fragmented campus systems create fraud continuity: HR, payroll, bursar, and student portals often enforce different checks, which lets an attacker move through the institution faster than review can follow. That is a governance continuity problem, not just a technical one. If one system verifies the user and another system blindly accepts the bank update, the institution has created a handoff point where fraud becomes durable. Practitioners need consistent identity signals across the full payment lifecycle.

Risk-based verification is the missing control boundary: The article points to a named concept we call identity change assurance, the requirement to re-verify the person, the account, and the context at the exact moment a sensitive financial destination is altered. That boundary is where university identity governance either stops fraud or simply records it after the fact. Practitioners should move assurance to the change event itself, not rely on login state.

Campus fraud should be treated as identity governance debt: The operational cost is not only stolen funds. It is replacement payments, support workload, and trust erosion across students and staff. That makes this a lifecycle governance issue, because onboarding many new users while keeping payout changes lightly controlled creates repeated exposure. Practitioners should align payment-change controls with the same seriousness as access certification for other high-risk entitlements.

From our research:

• The average estimated time to remediate a leaked secret is 27 days, despite 75% of organisations expressing strong confidence in their secrets management capabilities, according to The State of Secrets in AppSec.
• Only 44% of developers are reported to follow security best practices for secrets management, exposing a significant developer behaviour gap, according to GitGuardian & CyberArk.
• The control lesson carries forward in the Guide to the Secret Sprawl Challenge, which shows how hardcoded credentials and secret sprawl turn small weaknesses into recurring exposure.

What this signals

Identity change assurance: Universities and other high-volume organisations need to separate sign-in from change authority. A trusted session is not the same thing as a trusted payment instruction, which is why fraud controls must move closer to the transaction boundary and away from the login screen.

The broader signal is that human identity governance is still too often designed around account access, not account alteration. Where payroll, bursar, and HR systems remain fragmented, attackers can convert one compromised credential into many small, hard-to-detect losses that look operational until the money is gone.

The pattern maps cleanly to least privilege and zero trust thinking, but the practical test is whether a payment reroute requires fresh evidence, shared risk context, and a reviewable trail. If it does not, the institution is still trusting the password more than the person.

For practitioners

• Treat bank-detail changes as high-risk identity events Require step-up identity verification before any direct deposit or refund routing change is accepted. Use stronger proof than a password, and make the control mandatory for all faculty, students, contractors, and student workers.
• Verify the recipient account independently Confirm that the destination bank account is owned by the verified user before any payroll or refund switch is approved. If ownership cannot be validated, hold the change for manual review.
• Trigger risk checks on context shifts Score requests more aggressively when they come from a new device, unusual location, or recently compromised account. Do not let convenience flows override suspicious context in payment-related workflows.
• Unify identity signals across campus systems Feed HR, payroll, and bursar changes into a shared review process so one portal cannot bypass another. Consistent signal handling reduces the chance that an attacker can exploit a weak handoff between systems.
• Escalate payout workflows into lifecycle governance Fold direct deposit changes into access review and identity lifecycle controls for high-risk users and payment roles. A payment destination is part of the identity's financial footprint and should be governed accordingly.

Key takeaways

• Direct deposit fraud succeeds when institutions mistake credential possession for identity ownership.
• The scale of the loss is amplified by fragmented campus systems and low-friction self-service changes.
• The control that matters most is step-up verification at the exact moment payment details are altered.

Key terms

• Direct Deposit Fraud: A form of account takeover where an attacker changes the destination of salary, stipend, or refund payments to an account they control. The fraud succeeds by abusing trusted self-service workflows and weak identity verification at the moment of change.
• Identity Assurance: The degree of confidence an organisation has that a person is who they claim to be at a specific point in a workflow. In high-risk financial changes, assurance must be higher than a simple login event because the consequences of impersonation are immediate.
• Step-Up Verification: An additional identity check triggered when a request is unusually sensitive, risky, or out of pattern. It is used to re-confirm the user before approving actions like bank-detail changes, reducing the chance that a stolen session can be turned into fraud.
• Self-Service Account Change: A workflow that lets users update their own personal or payment details without manual intervention. These workflows improve convenience, but they become a security problem when they do not verify the person, the account, and the context before accepting changes.

Deepen your knowledge

NHI governance, agentic AI identity, and machine identity lifecycle are core topics in our NHI Foundation Level course, the industry's only accredited NHI security programme. If you are responsible for identity security strategy or governance maturity, it is worth exploring.

This post draws on content published by 1Kosmos: direct deposit fraud in universities and the identity checks needed to stop it. Read the original.