A new phishing scam is making the rounds within businesses, and threatens to expose private and personal details of those that fall victim to it, as well as potentially costing companies a fortune.
Potential victims receive an email that claims to be from the company's HR department, requesting that an appraisal form is filled in. In actual fact, the user's details, including company passwords, are being sent straight to the scammer.
The knock-on effect could have disastrous implications for a business. We take a look at how to recognise and avoid the scam.
How the HR Email Scam Works
Phishing emails are almost as old as the internet itself. Yet, you can always rely on some scammer to dream up a new twist on it. The way that all phishing emails work, is by masquerading as an official communication that drops into your inbox. Because the email appears to come from a trusted source, the recipient may readily click on it, and usually be whisked to an external site where they are asked to enter personal details such as passwords and banking information.
According to Kaspersky, who have highlighted this new scam, this one works in a similar vein. But what's particularly risky is how it targets company employees.
The email purports to be from human resources or a similar department within the company, and asks for the users to submit an appraisal form. The email includes a link to this form, which should the recipient click on and fill in, will then harvest the users username and password which scammers can then utilise to access the company's private data. They may also be able to access other personal accounts too, if the user is using the same password for other sites – which is a distressingly common practice.
The page that the email links to is surprisingly bare bones, as you can see from the screen grab below. While typical phishing links go out of their way to replicate the look of a banking or social media site, mirroring them identically, the primitive look of this back end style company portal, could well work in its favor, adding to the air of legitimacy, as most company intranet sites are relatively basic.
The effect of the scammer getting hold of this information could be disastrous for the company and the individual. Sensitive corporate information, access to financial records and personal ones could well deal a huge blow to a company, large or small. The scammer may even use this information as leverage in blackmail negotiations or could even lock up internal systems.
How to Avoid the Scam
There are a few key ways to protect yourself from falling foul of this scam:
- Check a link before clicking on it – Whenever you are prompted to click on a link, be vigilant. Hover over the link and check out the URL – does it seem legitimate? Is it one you recognise? If not, don't click on it and report the email to your IT department
- Check the email address – Double check where the email has come from. Not just the name of the sender, which is easy to fake, but the actual email address itself. Has it come from inside the company?
- Don't act too soon – Many scams get us to make a bad decision by pressuring us to act quickly. In the case of this scam, most employees will want to be seen to fill in an appraisal form quickly, and they may also think that it is linked to a pay rise, another reason to get it done sooner than later. Don't jump in. Think it through first.
- Use a password manager – Password managers remember all your login details, saving you the hassle of juggling multiple passwords at once. There are two upsides to this. Firstly, you won't replicate your passwords across various sites, leaving them all vulnerable, but also, when a phisher tries to get you to log into a dubious site, your password manager won't auto-fill the fields. This should set off alarm bells.
- Invest in performance management software – To stop employees falling for suspicious links, provide them with professional and reliable performance management software. Having a dependable central point for such tasks will make employees much more suspicious of strange links they don't recognise, or unprofessional-looking HR portals.
- Tell others – As well as reporting suspicious emails to IT, tell your colleagues, too. They might not be as savvy, and could click on a link before IT have had a chance to send a company-wide warning.
- Update your security software – More one for company owners, but if emails like this are making it through security systems, make sure they are up to date, and of course blacklist the originating email.