The NJCCIC received multiple reports of a payroll phishing campaign targeting New Jersey school districts. The subject line references a payroll increment project or direct deposit notice. Threat actors impersonate the superintendent or an administrator by compromising their account or spoofing the target organization’s domain to appear legitimate.

The urgent emails claim to require district staff to fill out a payroll form as part of the payroll project or a mandatory process by clicking on the “CLICK HERE TO REVIEW” link. If clicked, targets are directed to a phishing site to steal sensitive information such as account credentials. Although NJ school districts are being targeted, all organizations, regardless of sector, should remain vigilant.

Recommendations

  • Refrain from responding to messages, clicking links, and opening attachments from unknown senders, and exercise caution with emails from known senders.
  • If correspondence contains changes to payroll or bank information or is otherwise urgent or suspicious, contact the sender via a separate means of communication—by phone using contact information obtained from official sources or in person—before taking action.
  • Implement security controls that help prevent account compromise, including establishing strong passwords and enabling multi-factor authentication (MFA) where available, choosing authentication apps or hardware tokens over SMS text-based codes.
  • Organizations are advised to implement strict verification processes and procedures to prevent unauthorized direct deposit changes, such as requiring direct deposit forms accompanied by a voided check or bank encoding form, verbal or in-person agreement from the requesting employee, and multiple approvals for the change request.
  • If funds are unintentionally wired to a fraudulent account, immediately notify a supervisor, the banking institution, the FBI, and the US Secret Service so that attempts can be made to stop the wire transfer. Unless the fraudulent transaction is discovered quickly (typically within 48 hours), it can be difficult, if not impossible, to return the stolen funds.
  • If personally identifiable information (PII) has been compromised, review the Identity Theft and Compromised PII NJCCIC product for additional recommendations and resources.

Reported in the NJCCIC Weekly Bulletin, Jan. 22, 2026