Fake HR Emails

The Fake HR Email Phishing Scam

( 3 min read )

Work from Home may have become tiresome; but don’t let your guard down just yet

India embarks upon a new phase of the pandemic as it starts Unlock 1.0. However, companies are not yet comfortable calling their employees to work from the office just yet. It is both economical and safe for employees to be working from home. As long as there are no critical blockages forcing employees to stop work completely, organizations should be fine allowing their employees to continue working remotely. The allure of malls opening and other relaxations might cause you frustration, which is understandable. But here is our concern: these long-awaited changes in lockdown may take everyone’s eyes off the ball of security. Not to sound like broken records, but through several of our previous blogs, we have already established that such unstable times are a prime time for cyber breaches. And sure enough, a case has emerged, where hackers are attempting to exploit negligence through fake HR emails.

How are fake HR emails resulting in security breaches?

This scam’s intention is to steal business credentials of employees. Security researchers discovered the scam around the beginning of April, when the WFH culture was just beginning to settle in. Having run its course, the scam may or may not have died down. However, like we mentioned, lax security policies as WFH becomes cumbersome may provide a fresh window of opportunity to hackers. So, it is worth studying this case even now.

The scammers provide WFH enrolment forms, which are spread through fake HR emails. Microsoft Sway, a productivity tool widely used by employees, fell prey to the scam. Sway is usually used for creating official documents or business presentations. Hackers used Sway to send out mass emails to targeted victims. The emails used legitimate looking subject lines like ‘Employee Enrolment Required’ and were made to look like they were from the HR department. Around April, this seemed like a valid email, as WFH was just beginning. Employees, thinking that the HR department needed WFH data for bookkeeping, clicked on the enrolment links.

The link, as you must have guessed, takes you to a phishing site where all the forms you fill are mined for data. The valid credentials you enter are now in the wrong hands. The credentials can then be sold or used by the hackers themselves for all sorts of malicious activities. We have explored the different dangers of identity theft and how someone can wreak total havoc with your credentials. This matter is serious, and by providing business credentials and not just personal credentials, you may be putting the entire organization at risk.

Safeguarding yourself

Whether it is fake HR emails or some other type of ruse, phishing is always going to be a relevant threat. Our patience wears thin, and it is not possible that we will constantly be on the lookout for tell-tale signs. In the heat of work, it is very likely that you will click on some links and emails that appear harmless on the surface. Like we said before, employees already feel disgruntled about having to work from home.

At these times, we want you to be able to focus solely on the work. Maintaining security should not become a second full-time job. That is why we provide security services that take care of cyber threats before they become a headache for you. With our Email Advanced Threat Protection, you get all round email security. Our email security looks after phishing attack, spoofed emails, and also all forms of business email compromise (BEC) attacks.

Make a wise choice now, and reap the benefits continually!

Leave a Reply

Your email address will not be published. Required fields are marked *