Cybercriminals are exploiting employees’ desires for job satisfaction and organizations’ promises of benefits with a wave of phishing scams.
Salary increases, promotions, vacation bonuses and other “life-impacting” updates are enticing phishing lures, email security provider Cofense warned in a Jan. 10 blog post.
A typical approach is to embed links to core software used by many companies for human resources (HR) purposes.
Cofense gave an example of a phishing email referencing salary increases, dividends and benefits updates.
The campaign uses a QR code to trick employees into entering their email login credentials on a phishing site on their smartphone.
They also include a logo of the SharePoint logo, a common Microsoft web platform that functions as a multi-purpose tool for organizations, allowing them to share and store documents on an intranet location, for example.
Organizations need a consistent HR calendar
Other effective lures include employee reviews and satisfaction surveys, which employees typically feel obligated to complete in a timely manner, as well as retirement benefits like the U.S. 401k and open enrollment notifications.
“Employees often anticipate, even look forward to, receiving annual updates like those covered in this report. (…) These tasks generate emotions among employees, whether it is additional work, an exciting change in finances or benefits, or a task that needs to be accomplished urgently. This added emotion can cloud the judgment of even the best trained employees when it comes to phishing emails,” it reads the post office.
That’s why Cofense recommends that organizations establish a clear and consistent schedule so employees know when to expect these notifications.