Criminals using social engineering techniques have been able to initiate attacks against HR departments via carefully crafted emails. The criminals use marketing techniques to identify HR professionals within a company. Once the criminals have the HR professional’s name and email address, they craft an email that looks legitimate enough to slip through spam filters and cause the HR professional to click.
The two most common emails we have seen targeting HR professionals contain either a fake resume or a fake invoice for services provided. The links or attachments within the email cause malware to be installed on the HR professional’s computer when clicked or opened. The emails look and sound like they are real, so if the HR professional isn’t careful, they can make the click that starts the attack. Normally these attacks install Ransomware that encrypts all of the files the software can reach from the HR professional’s computer.
Another recent trend was targeting HR with false requests for W-2 copies. By spoofing an employee’s email, criminals request a copy of the unsuspecting employee’s W-2 from the HR department. If the HR professional makes a copy of the W-2 and responds to the request, the W-2 copy is sent to the criminal–along with the employee’s payroll information, including social security number. With the stolen information, the criminals can establish credit lines in the employee’s name. As the keepers of sensitive employee information, HR professionals are prime targets for cyber-attacks.
Here are some tips on how to prevent these types of attacks:
- Use a third party spam filter to catch suspicious emails before they reach the HR professional
- Use a third party spam filter that checks every link in an email
- Use a DNS service that screens web sites before allowing connections
- Keep anti-virus and malware software updated
- Invest in periodic training of the staff on Cyber Crime
- Review file permissions so the HR professionals can only access what they need, which will prevent Ransomware from encrypting every file during an attack
The last and most important line of defense against these attacks is a trained and suspicious HR professional that deletes any emails that may have even the slightest chance of being malicious.
Click HERE for more information.