When people receive an email that looks like it’s from a trusted source, like their employer’s Human Resources department, they’re likely to act on it – and hackers know it. A recent KnowBe4 study revealed that 50 percent of phishing messages were HR-related. The latest threat, warns cybersecurity company Kaspersky, is a recent increase in phishing emails purporting to be self-evaluation forms from HR.
Who the scam targets
This particular phishing scheme targets corporate employees. Because the email is supposedly from an HR department, a recipient wouldn’t question seeing it in their work email.
How the scam works
This scam preys on employees who receive large amounts of emails from internal departments at work. You will receive a message from Human Resources asking you to complete a survey. The scam gives you until the end of the day, making it more likely that you will feel rushed and, therefore, lower your guard.
If you receive this HR phishing email and don’t recognize it as a phishing scam, the link brings you to an online form. There, you may answer questions about your performance as part of a self-evaluation. At the end of the form, you’re asked to provide your email address and then enter and re-enter your password – the actual information the scammer wants to obtain.
How to spot the scam
Like any scam, there are telltale signs that will help you spot the HR Self-Review scam. Look for inflammatory language, such as “COMPULSORY for EVERYONE” and “End Of Day,” and the use of irregular capitalization. Also, you should be suspicious when you see dramatic claims for time-sensitive responses.
If you have any suspicions, check to ensure that the sender’s email address matches your company’s name. If it doesn’t match, the message isn’t internal and may be a scam. Also, ensure the email address is not spoofed.
If you have clicked the link and are viewing the form, you might notice that the word “password” is written with two asterisks (“pass**rd”). This tactic can help scammers to evade phishing filters your company might have in place. It is another reason to hesitate and check with HR before entering your personal information.
What is at risk if you fall victim to the scam
The HR self-evaluation phishing scam looks to acquire your username and password. Once a scammer can access your email, they can impersonate you to ask other employees for sensitive information and send malicious links and files to install malware. And since the email comes from your internal email address, it may bypass your company’s usual security screening process.
[Image credit: Screenshots via Kaspersky, phishing scam concept via BigStockPhoto]