The specific threat model for payroll platforms

Payroll fintech has a threat model that is distinct from payment gateways or wallets. The data stored is not just financial — it is the complete employment and compensation record of every employee at every client company. An attacker who compromises a payroll platform's database does not just steal account numbers. They obtain salary amounts, job titles, employer names, tax information, BVN records, and employment history. This data is immediately monetizable in social engineering attacks, loan fraud, and identity theft.

The transactional risk is equally severe. Payroll runs are scheduled, high-volume, and processed in batch. A single manipulated payroll run for a large employer can redirect hundreds of salary payments to attacker-controlled accounts before the first employee reports non-payment. The NIP transfer settlement is near-instant. Recovery requires each bank individually to cooperate on a reversal — a process that typically takes three to five business days.

1. Payroll run authorization and bulk disbursement injection

The highest-risk endpoint on any payroll platform is the one that initiates a bulk disbursement — the API call that instructs the banking partner to send salary payments to a list of employees. We test whether this endpoint enforces multi-factor authorization, whether it validates the total disbursement amount against a pre-approved payroll run, and whether individual bank account numbers in the disbursement list are verified against the records that were confirmed during the employee onboarding — not against client-submitted data at the time of the run.

The attack we simulate: a payroll administrator account is compromised. The attacker modifies three bank account numbers in the employee records 48 hours before the scheduled run. On payroll day, the bulk disbursement goes out. Three employees receive nothing. Three attacker-controlled accounts receive three employees' full monthly salary. By the time the employees call HR, the attacker has already moved the funds.

2. Employee salary record access control

Payroll platforms typically have three user roles: super-admin, company HR admin, and employee self-service. We test the authorization boundaries between these roles rigorously. Common findings include: HR admins at one client company being able to query employee records at another client company by manipulating the company ID parameter, employees being able to view the salary amounts of colleagues by incrementing the employee ID in a self-service API call, and super-admin endpoints being accessible to company-level admin accounts by removing a role check in the middleware chain.

3. Earned wage access salary verification binding

Earned wage access products extend credit against verified salary. The binding between the employer-reported salary figure and the EWA disbursement limit is the critical security control. We test whether an attacker who controls an employer admin account can inflate an employee's reported salary figure in the employer portal, then immediately use the employee's self-service app to request a withdrawal based on the inflated salary. The salary figure must be locked at the point of employer verification and must not be modifiable by any party during an active EWA period without triggering a re-verification workflow.

4. Payslip and payroll document access

Payroll platforms generate payslips, tax certificates, and employment confirmation letters. These documents are used by employees to apply for loans, visas, and tenancy agreements. We test whether payslip download URLs contain predictable identifiers that allow one employee to download another employee's payslip, whether generated documents can be retrieved without authentication, and whether the document generation endpoint validates that the requesting user is the named employee on the document.

5. Bank account change workflow security

Every payroll platform has a process for employees to update their bank account number. This workflow is a social engineering target — attackers call HR support impersonating employees and request account changes verbally. We audit the technical controls on the bank account change endpoint: does it require re-authentication, does it notify the old account holder via a secondary channel, is there a mandatory cooling period before the new account receives disbursements, and does it validate that the new account name matches the employee's verified BVN name?

Real finding from a payroll platform engagement

Cross-company employee record access via company ID parameter manipulation

During a penetration test of a Nigerian payroll SaaS platform, we logged in as the HR admin of one client company and called the employee listing API with the company ID parameter changed to the ID of a different client company. The endpoint returned the complete employee list of the second company — names, BVN, salary amounts, and bank account numbers — without any error. The platform served hundreds of client companies through the same multi-tenant backend. Every client company's payroll data was accessible to every other client company's admin account. Fix priority: critical. Remediated by adding tenant isolation middleware that validates the company ID in every request against the authenticated user's organization claim before any database query executes.

Running a payroll or earned wage access platform in Nigeria? Book a security assessment that covers the full disbursement chain.

Book a Payroll Platform Pentest

Frequently asked questions

What makes payroll fintech a high-value target for attackers?

Payroll platforms hold the complete financial profile of every employee at every client company: BVN, bank account number, salary amount, employer name, employment status, and tax information. A single breach of a payroll fintech serving 500 companies exposes hundreds of thousands of complete financial identity records — more valuable than a credit card dump because the data is current and verified.

How do attackers manipulate payroll run disbursements?

The most common attack pattern is compromising a payroll administrator account, modifying a small number of bank account numbers in the employee database to attacker-controlled accounts before a payroll run, and then reverting the changes after disbursement. The modification is small enough that automated reconciliation may not flag it immediately, and the attacker receives salaries for employees who will only report non-payment on payday.

What is earned wage access fraud?

Earned wage access (EWA) platforms allow employees to withdraw a portion of their earned salary before payday. Fraud occurs when attackers create synthetic employee records or manipulate the employer-verified salary figure upward before requesting a withdrawal. We test the salary verification binding between the employer API and the EWA disbursement API.

Related reading

Blog: BOLA in financial APIs · Name enquiry binding exploits · Insider threats in Nigerian fintechs

Services: Penetration testing · API security