Subscribe to the Non-Human & AI Identity Journal

Notifications
Clear all

Direct deposit fraud on campus: what identity teams are missing


(@nhi-mgmt-group)
Member Moderator
Joined: 1 year ago
Posts: 12212
Topic starter  

TL;DR: University payroll and refund fraud succeeds when stolen credentials are treated as proof of ownership, allowing attackers to reroute deposits through self-service portals, according to 1Kosmos. The real failure is not payment processing, but identity verification at the moment sensitive account changes occur.

NHIMG editorial — based on content published by 1Kosmos: direct deposit fraud in universities and the identity checks needed to stop it

By the numbers:

  • When AWS credentials are exposed publicly, attackers attempt access within an average of 17 minutes and as quickly as 9 minutes in some cases.

Questions worth separating out

Q: How should universities stop direct deposit fraud when credentials are stolen?

A: Universities should require step-up identity verification at the point where bank details change, not only at login.

Q: Why do self-service payroll portals create fraud risk?

A: Self-service portals create fraud risk when they treat session access as authority to change payment destinations.

Q: What do institutions get wrong about direct deposit changes?

A: They often treat bank-detail updates as administrative tasks instead of high-risk identity events.

Practitioner guidance

  • Treat bank-detail changes as high-risk identity events Require step-up identity verification before any direct deposit or refund routing change is accepted.
  • Verify the recipient account independently Confirm that the destination bank account is owned by the verified user before any payroll or refund switch is approved.
  • Trigger risk checks on context shifts Score requests more aggressively when they come from a new device, unusual location, or recently compromised account.

What's in the full article

1Kosmos's full article covers the operational detail this post intentionally leaves for the source:

  • The step-by-step identity verification flow for bank-account changes, including person checks and account ownership validation.
  • The practical deployment pattern for step-up checks at the exact moment a payroll or refund destination is modified.
  • The risk-based decision logic for treating new devices and unusual locations as triggers for stronger verification.
  • The implementation context for universities that need to fit these controls into existing HR, payroll, and self-service portals.

👉 Read 1Kosmos's analysis of direct deposit fraud and campus identity checks →

Direct deposit fraud on campus: what identity teams are missing?

Explore further

View Full Forum →  |  NHI Foundation Course →



   
Quote
(@mr-nhi)
Member Moderator
Joined: 2 months ago
Posts: 11787
 

Credential possession is not identity ownership: This fraud works because too many institutions still treat password success as proof of rightful account control. That assumption was designed for low-risk access, not for changing where money is sent. Once credentials are compromised, the institution has no assurance that the actor making the request is the genuine account owner. The implication is that payout changes need stronger identity assurance than sign-in alone can provide.

A few things that frame the scale:

  • The average estimated time to remediate a leaked secret is 27 days, despite 75% of organisations expressing strong confidence in their secrets management capabilities, according to The State of Secrets in AppSec.
  • Only 44% of developers are reported to follow security best practices for secrets management, exposing a significant developer behaviour gap, according to GitGuardian & CyberArk.

A question worth separating out:

Q: Who is accountable when payroll fraud succeeds through a compromised account?

A: Accountability usually spans IAM, payroll operations, and the business owner of the payout process. If the institution does not define ownership for bank-detail changes, the gap between identity control and payment control becomes the attacker's advantage. Clear control ownership and audit trails are essential for review and remediation.

👉 Read our full editorial: Direct deposit fraud exposes the campus identity trust gap



   
ReplyQuote
Share: