HR payroll phishing scam

There's been a recent uptick in an HR payroll phishing scam. In it, email attacks impersonating employees ask for changes to their paycheck deposit information. The attacks usually target HR departments, or whoever is responsible for handling employee salaries. The scam aims to redirect payments to the scammer's account. Here’s one example:

The attack works almost like a spear phishing attack, with the email targeting a specific person. Notice how the email greeting uses the recipient’s first name, making the message feel more personal and legitimate.

The attacker impersonates a co-worker who, after noticing suspicious activity in their account, asks the payroll rep to change their bank deposit details. The attacker uses the name of the impersonated co-worker in the email ‘From’ field:

A quick glance might make the payroll professional assume that the email was actually sent from a colleague. However, lazy scammers often use popular webmail services like Gmail, Outlook or Yahoo. Remember that any time an email with a “gmail.com” or similar address lands in official work communications, red flags should be raised; those addresses are typically for personal emails, not professional.

Sometimes, employees do send work emails through their personal accounts. This practice boosts even bad scams' chances if it's considered standard operating procedure. For instance, if dashing out quick FYI messages from a personal email address outside working hours were a normal occurrence at this company, it would make them more susceptible to an otherwise obvious scam email from a gmail.com address.

‍

What to do if you receive an HR payroll phishing scam email like this from a co-worker

• Check the sender address:
• Is it coming from a company email?
• Is it coming from a personal email? Personal = Red flag in a professional communications environment.
• Is the name on the email address the same as the one written in the “from” field? Attackers often change the name in the from field but the email address shows a different name,e.g. From: Jane Doe <john.smith@example.com> this is because the same email address is used in multiple attacks so the attacker can only change the name in the “from” field for each attack.
• Pay attention to language - does this person usually write like this?
• Call the person or ask them face to face if they made the request before changing any personal details
• Do not contact them via phone number or email address provided in the email!
• Check the person's phone number from the company’s official internal channel
• If you notice anything suspicious contact your IT department! It’s always better to be safe than sorry.

Explore more phishing examples

• Deliveroo feedback survey phishing email
• Right to left override attacks are relics no more
• Credential harvesting with fake popups
• Loan scam emails
• Secure message phish: Login to get scammed

Hoxhunt response

Our Threat Analysis Team examines tens of thousands of reported phishing emails, including ones like these, a week–and have captured tens of millions of threats to date. They cluster the threats, rate them, and incorporate the nasty ones into our training simulations in real time to ensure our training stays at the cutting edge of the constantly-evolving threat landscape. Hoxhunt users are thus drilled on spotting and reporting the latest actual threats making the rounds, removing potentially catastrophic threats from your system with every push of the Hoxhunt reporting button. Read more to learn how to equip your employees with the awareness training that will protect your company from phishing scams.