Don’t Get Caught by the Human Resources Self-Review Phishing Scam

Don’t Get Caught by the Human Resources Self-Review Phishing Scam

Techlicious editors independently review products. To help support our mission, we may earn affiliate commissions from links contained on this page.

When people receive an email that looks like it’s from a trusted source, like their employer’s Human Resources department, they’re likely to act on it – and hackers know it. A recent KnowBe4 study revealed that 50 percent of phishing messages were HR-related. The latest threat, warns cybersecurity company Kaspersky, is a recent increase in phishing emails purporting to be self-evaluation forms from HR.

Phishing concept showing a username and password on a piece of paper attached to a hook with goldfish swimming nearby.

Who the scam targets

This particular phishing scheme targets corporate employees. Because the email is supposedly from an HR department, a recipient wouldn’t question seeing it in their work email.

How the scam works

This scam preys on employees who receive large amounts of emails from internal departments at work. You will receive a message from Human Resources asking you to complete a survey. The scam gives you until the end of the day, making it more likely that you will feel rushed and, therefore, lower your guard.

If you receive this HR phishing email and don’t recognize it as a phishing scam, the link brings you to an online form. There, you may answer questions about your performance as part of a self-evaluation. At the end of the form, you’re asked to provide your email address and then enter and re-enter your password – the actual information the scammer wants to obtain.

Sample of a form that requests account information at the end of an employee self-evaluation form.

How to spot the scam

Like any scam, there are telltale signs that will help you spot the HR Self-Review scam. Look for inflammatory language, such as “COMPULSORY for EVERYONE” and “End Of Day,” and the use of irregular capitalization. Also, you should be suspicious when you see dramatic claims for time-sensitive responses.

Sample email entitled ATTENTION EMPLOYEES: EMPLOYEE SELF-ASSESSMENT PROCEDURE - ACTION REQUIRED. You can see the words Compulsory, Everyone and End Of Day in capital letters.

If you have any suspicions, check to ensure that the sender’s email address matches your company’s name. If it doesn’t match, the message isn’t internal and may be a scam. Also, ensure the email address is not spoofed.

If you have clicked the link and are viewing the form, you might notice that the word “password” is written with two asterisks (“pass**rd”). This tactic can help scammers to evade phishing filters your company might have in place. It is another reason to hesitate and check with HR before entering your personal information.

What is at risk if you fall victim to the scam

The HR self-evaluation phishing scam looks to acquire your username and password. Once a scammer can access your email, they can impersonate you to ask other employees for sensitive information and send malicious links and files to install malware. And since the email comes from your internal email address, it may bypass your company’s usual security screening process.

Learn more about other popular phishing ploys: the Is this You Facebook video scam, the Facebook Marketplace scam, the Geek Squad subscription scam, and the Fake Recruiter scam.

[Image credit: Screenshots via Kaspersky, phishing scam concept via BigStockPhoto]

Julia Liebell-McLean is a freelance writer and editor interested in all things tech, especially tech start-ups. She worked for the Georgetown University Writing Center and, for the last three years, has served as the primary content writer and editor for Nurture SPRT, a sports tech start-up.

Source link


Leave a Reply

Your email address will not be published. Required fields are marked *