Phishing attacks targeting HR and payroll platforms have become more targeted and more convincing. The threat isn't just the classic credential-stealing email. Attackers are now building fake login pages that look identical to legitimate HCM platforms, then they are paying to place them at the top of Google search results as ads.
The result: an employee searches for their payroll login, clicks the top result, enters their credentials on a fake site, and their next paycheck gets redirected to an account they've never heard of.
According to the FBI's Internet Crime Complaint Center, Business Email Compromise (BEC) attacks — which include payroll diversion fraud — generated $3.046 billion in reported losses in 2025.
The good news is that the countermeasures are straightforward. They key is that they need to be in place before an incident, not after.
Note: This information is for informational purposes only and does not constitute formal tax, legal, or compliance advice. Always consult with qualified tax advisors, legal counsel, and your organization’s internal teams for guidance specific to your situation. Additional regulations may apply. For the most accurate and up-to-date information, refer to official government resources and regulatory agencies.
Table of Contents:
Here's what we will cover in this practical guide for HR and payroll adminstrators:
Understanding the attack pattern is the fastest way to shut it down. Here's how a typical credential-redirect scam unfolds:
An employee searches for their payroll or HR login on Google, or clicks a link in an unsolicited email or text.
A fake site, built to look identical to the real login page, captures their username and password the moment they type it.
The attacker also captures the employee's two-factor authentication (2FA) code in real time. 2FA adds a layer of protection, but it does not stop a fake site that is designed to harvest the code as it's entered.
With valid credentials in hand, the attacker logs into the real platform and changes the employee's direct deposit information before the employee notices anything is wrong.
|
Important: 2FA codes are captured by fake sites in real time. 2FA alone is not sufficient protection. Always pair it with URL verification — confirm the address bar shows the correct domain before entering any credentials. |
Common signs of a fake login URL include subtle misspellings, extra characters, or hyphens inserted into the domain name. Examples of fake domains used in past incidents include greenshades-login.com, gr33nshades.com, and greenshadeonline.com. The real Greenshades login is always at greenshadesonline.com.
Several platform-level security controls, common in all payroll systems, can reduce exposure when configured correctly.
MFA is available and should be enabled for all users. It adds a required second step at login. As noted above, MFA codes can be captured by a well-designed fake site in real time, which is why URL verification is still essential. However, MFA remains an important layer of protection against credential reuse and unrelated attacks.
After a configurable number of failed login attempts, have your system automatically lock an account. The recommended setting is three attempts, with a 30-minute lockout. This limits brute-force attempts and buys time for administrators to respond.
This setting controls whether employees can change the email address associated with their account. Enabling restrictions prevents an attacker from redirecting account notifications to an address they control.
Administrators can set direct deposit to view-only for employees, removing the ability for anyone logged into the employee portal to change banking information without admin approval. This is one of the most effective controls available — if an attacker can't change the deposit destination, the paycheck redirect fails.
While Greenshades can't control how users access the platform or what they do with their credentials, our team continuously works to provide robust security features:
We also actively monitor for and report fraudulent websites impersonating Greenshades, working to have them removed as quickly as possible.
If you haven't reviewed your account security settings recently, now is the right time. If you use Greenshades, these settings live under Employee Access > Account Security in your Greenshades workspace.
Admin security checklist:
Most paycheck redirect scams succeed because employees don't know the attack exists. Sharing a short, clear message with your team is one of the highest-impact steps you can take.
The core message for employees:
If you suspect an employee's account has been compromised, act on all of the following steps before waiting for confirmation.
Have the employee change their password immediately — on the real site, not from a link in any email.
Verify the employee's direct deposit information has not been changed. If it has, flag it immediately — payroll may need to be held or rerouted.
Pull a report of all recent direct deposit changes across all accounts. When one account is affected, others may be too.
Review and apply the account security settings above if they are not already configured.
If you are a Greenshades client, contact Support with the employee's ID, email address, and the date and time of the suspected unauthorized access.
Early action limits exposure. Greenshades Support will engage the appropriate teams on your behalf.
|
Questions or suspected unauthorized access? Contact Greenshades Support immediately. Early action limits exposure. |
Not on its own. 2FA is an important layer of protection, but sophisticated fake login pages can capture a 2FA code in real time and use it before it expires. Always verify the URL of the login page before entering any credentials — including your 2FA code. Bookmark the official login page and use only that.
Attackers use compromised Google Ads accounts to purchase ad placements for targeted search terms like "Greenshades login" or "employee payroll portal." The ads appear above organic results and look like any other paid listing. The safest approach is to never click on search ads to access a login page — always use a bookmark or type the URL directly.
The correct URL is greenshadesonline.com. Before logging in, verify the address bar shows this exact domain — no hyphens, extra words, or character substitutions. If you are unsure, contact your HR or payroll administrator for the correct bookmarked link.
Contact HR or Payroll immediately and change your password on the real Greenshades site right away. Verify your direct deposit information has not been changed. If you used the same password elsewhere, change it on those accounts too. Do not wait — every minute between the compromise and your response matters.
At minimum, review direct deposit changes before each payroll run. If your organization has experienced any security incidents or elevated phishing activity, pull the report immediately and look for any changes that employees did not initiate.