Payroll diversion tactics attributed to the Chiffon Herring group

September 23, 2022
Payroll Diversion Scam Fraud Prevention Chiffon Herring Hacking Group

A newly discovered malicious entity called Chiffon Herring group has been linked to a particular Business Email Compromise (BEC) scam campaign that targets academic institutions. The report shows that the group employs a new payroll diversion attack to target its victims.

Researchers stated that this new threat group has been relatively new to the cybercriminal landscape as it only started last March. Moreover, the primary targets for this group are local school districts and college-level academic institutions in the United States.

In addition, separate researchers claimed that these new scammers are likely based in the African continent, especially in South Africa and Nigeria.


The Chiffon Herring group follows a standard method of diverting funds.


Recent threat analysis revealed that the main structure of a campaign from the Chiffon Herring group is identical to other standard payroll diversion attacks adopted by other threat actors.

To start their attack, the adversaries impersonate non-executive employees like professors or instructors and send emails to the department head at a university office or staff at a targeted school district.

The email contains details of the impersonated professor who recently changed their bank account and needs to update their direct deposit information. The email also mentions that the past account of the spoofed individual will be deactivated by its bank before the next salary goes in to create an urgency for the payroll provider.

Hence, the salary provider will likely transfer the payroll to the bank account controlled by the scammers. Furthermore, the threat group is also known for using GoDaddy infrastructure to send its BEC attacks.

In addition to spoofing teacher email addresses, the analysis reveals that Chiffon Herring also leverages GoDaddy infrastructure to send the attacks.

The Chiffon Herring gives banking information from the Green Dot Bank to redirect the targeted funds. The accounts under the Green Dot Bank are easy to access and are mostly connected to prepaid cards.

The threat actors have easy access to diverted funds for multiple days since these prepaid cards are usually utilised in payroll diversion attacks that are deposited two days before a payday. Therefore, the scammers can acquire the funds before their target knows that it is missing.

As of now, human resources and finance administrators should be well-educated and trained to spot the signs of phishing campaigns to ensure the protection of the salary from payroll diversion attacks.

About the author

Leave a Reply