Direct deposit fraud on campus: what identity teams are missing

TL;DR: University payroll and refund fraud succeeds when stolen credentials are treated as proof of ownership, allowing attackers to reroute deposits through self-service portals, according to 1Kosmos. The real failure is not payment processing, but identity verification at the moment sensitive account changes occur.

NHIMG editorial — based on content published by 1Kosmos: direct deposit fraud in universities and the identity checks needed to stop it

By the numbers:

• When AWS credentials are exposed publicly, attackers attempt access within an average of 17 minutes and as quickly as 9 minutes in some cases.

Questions worth separating out

Q: How should universities stop direct deposit fraud when credentials are stolen?

A: Universities should require step-up identity verification at the point where bank details change, not only at login.

Q: Why do self-service payroll portals create fraud risk?

A: Self-service portals create fraud risk when they treat session access as authority to change payment destinations.

Q: What do institutions get wrong about direct deposit changes?

A: They often treat bank-detail updates as administrative tasks instead of high-risk identity events.

Practitioner guidance

• Treat bank-detail changes as high-risk identity events Require step-up identity verification before any direct deposit or refund routing change is accepted.
• Verify the recipient account independently Confirm that the destination bank account is owned by the verified user before any payroll or refund switch is approved.
• Trigger risk checks on context shifts Score requests more aggressively when they come from a new device, unusual location, or recently compromised account.

What's in the full article

1Kosmos's full article covers the operational detail this post intentionally leaves for the source:

• The step-by-step identity verification flow for bank-account changes, including person checks and account ownership validation.
• The practical deployment pattern for step-up checks at the exact moment a payroll or refund destination is modified.
• The risk-based decision logic for treating new devices and unusual locations as triggers for stronger verification.
• The implementation context for universities that need to fit these controls into existing HR, payroll, and self-service portals.

👉 Read 1Kosmos's analysis of direct deposit fraud and campus identity checks →

Direct deposit fraud on campus: what identity teams are missing?

Explore further

View Full Forum →  |  NHI Foundation Course →