Cybercriminal are exploiting employee desires for job satisfaction and orgnaizations’ promise of benefits with a flurry of phishing scams.
Pay raises, promotions, holiday bonuses and other ‘life-impacting’ updates are attractive phishing lures, email security provider Cofense warned in a January 10 blog post.
A typical approach is to embed links to commodity software used by numerous companies for human resources (HR) purposes.
Cofense gave an example of a phishing email referencing salary increases, dividends and benefits updates.
The campaign uses a QR code to lead employees to enter their email login credentials into a phishing site on their smartphones.
They also include a logo of SharePoint logo, a common Microsoft web-based platform that functions as a multi-purpose tool for organizations, allowing them to share and store documents on an intranet location, for instance.
Organizations Need a Consistent HR Schedule
Other effective lures include employee assessments and satisfaction surveys, which employees usually feel pressure to complete in a timely manner, as well as retirement benefits like 401k in the US and open enrolment notifications.
“Employees often anticipate or even look forward to receiving annual updates like the ones covered in this report. […] These tasks generate emotions for employees whether they are considered extra work, an exciting change in finances or benefits, or even a task to be completed urgently. This added emotion can cloud even the most well-trained employee’s judgment when it comes to phishing emails,” reads the post.
That’s why Cofense recommended that organizations have a clear, consistent schedule so employees know when to expect these notifications.