Criminals using social engineering techniques have been able to initiate attacks against HR departments via carefully crafted emails. The criminals use marketing techniques to identify HR professionals within a company. Once the criminals have the HR professional’s name and email address, they craft an email that looks legitimate enough to slip through spam filters and cause the HR professional to click.
The two most common emails we have seen targeting HR professionals contain either a fake resume or a fake invoice for services provided. The links or attachments within the email cause malware to be installed on the HR professional’s computer when clicked or opened. The emails look and sound like they are real, so if the HR professional isn’t careful, they can make the click that starts the attack. Normally these attacks install Ransomware that encrypts all of the files the software can reach from the HR professional’s computer.
Another recent trend was targeting HR with false requests for W-2 copies. By spoofing an employee’s email, criminals request a copy of the unsuspecting employee’s W-2 from the HR department. If the HR professional makes a copy of the W-2 and responds to the request, the W-2 copy is sent to the criminal–along with the employee’s payroll information, including social security number. With the stolen information, the criminals can establish credit lines in the employee’s name. As the keepers of sensitive employee information, HR professionals are prime targets for cyber-attacks.
Here are some tips on how to prevent these types of attacks:
The last and most important line of defense against these attacks is a trained and suspicious HR professional that deletes any emails that may have even the slightest chance of being malicious.
Click HERE for more information.