There's been a recent uptick in an HR payroll phishing scam. In it, email attacks impersonating employees ask for changes to their paycheck deposit information. The attacks usually target HR departments, or whoever is responsible for handling employee salaries. The scam aims to redirect payments to the scammer's account. Here’s one example:
The attack works almost like a spear phishing attack, with the email targeting a specific person. Notice how the email greeting uses the recipient’s first name, making the message feel more personal and legitimate.
The attacker impersonates a co-worker who, after noticing suspicious activity in their account, asks the payroll rep to change their bank deposit details. The attacker uses the name of the impersonated co-worker in the email ‘From’ field:
A quick glance might make the payroll professional assume that the email was actually sent from a colleague. However, lazy scammers often use popular webmail services like Gmail, Outlook or Yahoo. Remember that any time an email with a “gmail.com” or similar address lands in official work communications, red flags should be raised; those addresses are typically for personal emails, not professional.
Sometimes, employees do send work emails through their personal accounts. This practice boosts even bad scams' chances if it's considered standard operating procedure. For instance, if dashing out quick FYI messages from a personal email address outside working hours were a normal occurrence at this company, it would make them more susceptible to an otherwise obvious scam email from a gmail.com address.
Our Threat Analysis Team examines tens of thousands of reported phishing emails, including ones like these, a week–and have captured tens of millions of threats to date. They cluster the threats, rate them, and incorporate the nasty ones into our training simulations in real time to ensure our training stays at the cutting edge of the constantly-evolving threat landscape. Hoxhunt users are thus drilled on spotting and reporting the latest actual threats making the rounds, removing potentially catastrophic threats from your system with every push of the Hoxhunt reporting button. Read more to learn how to equip your employees with the awareness training that will protect your company from phishing scams.