Payroll-Related Phishing Emails Circulating Across New Jersey

Seton Hall’s Department of Information Technology is alerting the University community to an emerging phishing campaign that impersonates employee compensation or payroll communications. According to the New Jersey Cybersecurity and Communications Integration Cell (NJCCIC),   these messages often claim to include updated compensation records or salary adjustments in order to create urgency and prompt immediate action. While the emails may appear legitimate, they are designed to trick recipients into revealing sensitive login information.

The fraudulent messages typically include an attachment, such as a PDF or email file, that contains a QR code. When scanned, the QR code redirects users to a counterfeit Microsoft 365, OneDrive or DocuSign login page hosted on a malicious website. These pages are designed to capture usernames, passwords and in some cases multi-factor authentication tokens. Some campaigns use advanced techniques, including adversary-in-the-middle methods, to intercept login sessions and gain unauthorized access to accounts even after multi-factor authentication is completed.

Why This Matters for the University Community 

Phishing campaigns like this one are increasingly common across New Jersey organizations, including institutions of higher education. While this campaign primarily targets employees through compensation-related messaging, the techniques used, such as QR codes and counterfeit login pages, are frequently adapted to target a broader audience.

It's important to remember that legitimate Seton Hall and Microsoft 365 login pages will always use official domains such as shu.edu or microsoft.com. Users are strongly encouraged to verify website addresses carefully and to avoid scanning QR codes from unexpected or unsolicited messages. Compromised credentials can lead to unauthorized access to email accounts, financial information, academic records and other University systems.

Stay Informed to Stay Protected 

Payroll-related phishing emails often rely on urgency and familiarity to prompt quick action. Messages may reference compensation updates or financial documents and attempt to direct users to verify or review information. These tactics are designed to appear routine while leading to credential theft.

Be cautious of emails that:

• Reference compensation, payroll updates or unexpected financial documents
• Include attachments or QR codes prompting you to view or verify information
• Request login credentials or direct you to sign in through embedded links
• Come from unfamiliar or slightly altered email addresses
• Contain links or login pages that do not match official University or vendor domains

To reduce risk, avoid interacting with suspicious links, attachments or QR codes. Instead, navigate directly to official websites by typing the web address into your browser. Unexpected messages should be verified through trusted University channels. Using multi-factor authentication (MFA) on all accounts adds an additional layer of protection. 

Reporting and Getting Help at Seton Hall 

Seton Hall encourages all members of the University community to report suspicious messages. Early reporting helps protect both individual accounts and University systems.

If you receive a suspicious email:

• Use Outlook’s Report Phishing feature
• Delete the message after reporting
• Do not reply to or interact with the sender

If you believe your credentials may have been compromised, immediate action is critical. Change your password right away and contact the Technology Service Desk so University IT Security can begin an investigation. Monitor your accounts closely for unusual activity to help prevent further compromise.

Categories: Science and Technology