Inside Phishing Scams Targeting HR Professionals

By
Zachary Amos
-
Phishing scams

by Zachary Amos, Features Editor at ReHack.com

HR departments are a hub of information, from employee information and applicant resumes to payroll receipts. Scammers might impersonate an employee requesting an update to their direct deposit information or an executive sending a document for review.

Private information falling into the wrong hands can have many consequences, so HR departments and company management must stay vigilant against phishing scams.

- Advertisement -

Why HR Departments Are Valuable Targets

HR teams have access to confidential employee data, making them a prime target for cyberattacks. They receive a high volume of messages daily, so scammers take advantage by lacing seemingly authentic emails with malware and tricks.

Hackers target HR departments to gain access to financial information, including bank account numbers, salary details and pension information. They may pose as someone within the company — such as an employee or CEO — or an external sender from a bank or job application portal.

Top Tactics Used to Target HR Professionals

Phishing scams exploit human vulnerabilities to steal information. They craft and send messages that contain malware or appear to be from a reputable source. For instance, familiar branding tricks 44% of people into believing a phishing email is safe.

Phishing attempts are not limited to email correspondence — smishing occurs over text messages and vishing occurs over voice calls. HR departments should consider their existing security posture against these common phishing tactics:

  • Spear phishing: These targeted messages are specific and urgent, using real company information and names.
  • Impersonation: Scammers pretend to be an executive or vendor so that the scam appears legitimate.
  • Fake employee requests: Scammers pose as employees to request passwords, payroll changes and Employment Detail Summaries.
  • Business email compromise: This occurs when a hacker impersonates an executive to trick the recipient into acting.
  • Malicious attachments: Malware can be disguised as an email attachment, such as a cover letter or invoice. When clicked, it can lead to data breaches, financial theft or system damage.
  • Credential harvesting: When scammers obtain logins, they gain unauthorised access to HR portals to cause further harm.
  • Social engineering: These psychological phishing attempts urge users to act quickly and often prey on people’s desire to assist others.

Cybercriminals can use data they’ve successfully phished in many ways. They may steal money, open more accounts, sell the data to other criminals or commit fraud. For example, synthetic identity theft occurs when someone’s real Social Security number is paired with false information, like a different name, address and birth date. The fraudster may use this fake identity to apply for a loan or engage in more fraudulent activity.

How Phishing Scams Are Evolving

In a study by Darktrace, 38% of phishing emails used AI to generate more convincing messages. AI allows cybercriminals to create an abundance of phishing email templates and messages in a short amount of time. They can even generate phishing scams in a language that they don’t speak.

Another problem is the rise of deepfakes, in which someone uses AI to generate or manipulate images, videos or audio to deceive or humiliate. Deepfakes can be challenging to distinguish from reality, and the tools used to create them are becoming more widely accessible.

Some scammers target remote and hybrid workforces, exploiting employees who rely on digital communications. An employee’s technology and Wi-Fi at a remote workspace might not be as secure as those in an office space, leaving them vulnerable to cyberattacks.

Tips for Defending Against Phishing Attacks

Precautions against phishing scams are necessary to avoid data breaches, regulatory fines and a weakened reputation. Here are some ways an organisation and its HR department can proactively defend against phishing:

  • Learn to recognise fraudulent messages: Phishing emails often demand immediate action and may contain grammar, spelling or formatting errors. Check if the sender’s domain matches the actual website.
  • Avoid suspicious links or files: These can contain disruptive malware, so scan files before opening or downloading them and request assistance before opening any suspicious files or links.
  • Be wary when giving out personal information: Avoid sharing sensitive information over email or text, especially when the data is not encrypted.
  • Double-check requests before taking action: If an employee receives a random request from a co-worker, they should connect with them on a separate channel to see if the request is legitimate.
  • Install anti-virus software: This software detects malware in real time. Before installation, make sure the software is reputable.
  • Use secure platforms: Store information on internal, encrypted servers and use multi-factor authentication for all logins to prevent unwanted access. Professionals can set up fraud alerts on computers and banking accounts for additional security monitoring.
  • Offer continuous training and simulations: Provide knowledge and examples of phishing, and offer a way for all departments to report anything that seems suspicious.

How to Act Fast When Phished

No matter how big or small a company is, its HR department can still be targeted by phishing attempts and scams. Foster a culture of security and give employees clear action to take if they encounter a phishing attempt. Speed is critical.

Here are several steps an employee can take to combat a phishing attack:

  1. Disconnect from the internet to cut off connection with the scammer.
  2. Change passwords immediately for the hacked account and any accounts with similar passwords.
  3. Scan for malware with a trusted antivirus software that can detect and remove it.
  4. Report the cyberattack to the Federal Trade Commission, the company’s IT department and the authority the attacker impersonated.

After an attack has been reported, the IT department must assess which accounts may have been exposed. Employees, customers or partners whose information has been breached will need to be notified.

Build a Resilient HR Security Culture

Phishing attempts are becoming harder to detect due to their increasing sophistication and use of AI-generated content. Scammers and fraudsters are known to use social engineering tactics or technical strategies to trick users into sharing confidential information that puts their company at risk.

As a prime target of phishing scams, HR teams must be aware of cybercriminals’ standard techniques, understand how to prevent them and have a clear course of action if phished.

About the author

Zachary Amos is the Features Editor at ReHack.com, where he focuses on a plethora of trending technology topics such as cybersecurity, artificial intelligence, HR tech, and health IT. Some of the publications that have featured his tech insights include VentureBeat, ReadWrite, ISAGCA, Unite.AI, and HR.com, as well as numerous others. Zachary also produces tech content for a variety of other publications, including Forbes, HIT Consultant, and TalentCulture

- Advertisement -

RELATED ARTICLESMORE FROM AUTHOR