Home Business Fake HR E-Mails Being Used to Steal Employee Passwords

Fake HR E-Mails Being Used to Steal Employee Passwords

How many emails do your employees get a month from someone in human resources? And just how many of your employees would think twice about sharing some information with HR over the secure email system? But it’s this absolute trust and complacency that many phishing scams feed off of.

It’s those automatic things we do without thinking that can hurt us the most. And that’s what’s so scary about branded phishing campaigns.

Nick Allo, an IT support professional with SemTech IT Solutions in Orlando shares information on how some Florida firms are becoming victims of this latest cybercrime tactic.

Fake HR Tempts Employees with Pay Raise Information

It all starts with an email that your employee receives in between the one from his manager asking if he’s finished that report she requested and the one from his co-worker four cubes down wondering if he’s got plans for lunch.

The “from” line has the company name just like the others. He has no reason to click that line to reveal that it’s not actually coming from a company email address.

The email, which appears to be coming from HR, reads: “As already announced, The Years Wage increase will start in November 2019 and will be paid out for the first time in December, with recalculation as of November.”

It invites the employee to click on a spreadsheet called salary-increase-sheet-November-2019.xls to view the information.

But when they click on what looks like a spreadsheet, it sends them to a web page to log into their Microsoft 365 account. The page looks exactly like the login screen, so they think nothing of logging in to view the spreadsheet.

It all happens within a few seconds on a busy day.

They get the email, skim it, click and log into to the spoof site. A phishing scammer now has its Microsoft Office 365 password, which in many companies could open up endless amounts of secure data. On top of that, if this employee is like the many who use passwords across many accounts, this phishing campaign may have given hackers access to much more.

If you later asked this employee if anything odd happened, they probably wouldn’t even recall the event. It fit naturally into their day.

But they just experienced a Microsoft Office 365 phishing campaign, one of many highly clever, branded phishing scams that turns our trust of certain people (like an HR rep) or companies (like Microsoft) against us.

Password security is only as strong as our ability to ward off attacks like this.

How to Protect Yourself Against Branded Phishing Scams

First of all, know that you won’t be able to stop 100% of these attacks. Phishing campaigns hit many employees over a long period. It happens in seconds. Someone is going to fall for it.

As companies, the odds are not in our favor. So we need a comprehensive cybersecurity strategy to maintain password security and battle phishing campaigns. This includes things like:

  1. Investing in a strong spam filter. Modern filters use an algorithm to spot likely phishing emails. The fewer of these emails the employee sees the better.
  2. Making sure your malware and firewall protections are strong and up-to-date. These can block many known infections that may come in through email.
  3. Monitoring for phishing campaigns against your business both with technology and by calling on employees to inform you immediately if they get a phishing email.
  4. Educating your employees about what scams look like and how they use trust to trick you into clicking.
  5. Have a strong password policy and monitor.

Finally, stay informed about current threats to your business. Contact your managed IT services company to learn more.