November 6, 2019

New Corporate Phishing Scam Mimics Employee Evaluations

by: Katie Sloane


A new phishing attack has emerged, and it involves mimicking performance reviews to steal employees’ usernames and passwords.

According to IBM, cybercriminals are portraying themselves as HR staff in emails and sending notifications to employees regarding performance appraisals. Within the email is a link to a phishing site. After clicking the link, users will see a simple login portal that appears inconspicuous. Employees are then requested to enter their credentials, including their email address, password and username, in order to obtain details regarding their evaluation.

In this scenario, criminals are leaning on the hope that unwary employees will take the bait and feel compelled to complete the evaluations immediately. Those who fall victim to the hoax unwittingly expose personal account credentials to hackers, and the attack concludes.

Corporate-Focused Phishing Attacks

While performance appraisal scams aren’t unheard of, they are gaining momentum within the cybercrime space.Cybersecurity Corporate Phishing Scam Utilizing corporate-focused phishing attacks to gain access to businesses and sensitive data is popular among attackers. Similar scams include spear-phishing that leverage:

  • Fraudulent invoices
  • Malicious links embedded in SharePoint files
  • HTML attachments imitating voicemail alerts

Tips for Defending Against Phishing Scams

To help safeguard sensitive business information and keep your login credentials out of the hands of a cybercriminal, we’ve assembled a list of some practical tips and security best practices:

  • Be extremely vigilant when prompted to enter account credentials or any sensitive information.
  • Approach emails with caution and conduct adequate due diligence when examining them.
  • Validate that the sender’s name by cross-referencing your company directory.
  • Always verify the sender's email address - most people don’t look into the email address if the name seems familiar or legitimate. However, crooks have the ability to select their display name. For example, could use the display name “Accounting” or “R&D” to spoof recipients.
  • Avoid clicking on links within emails without hovering over them first.
  • Check for spelling mistakes. Authentic messages from reputable businesses rarely contain spelling, syntax, or grammatical errors.
  • Financial institutions would never request sensitive information over email. Don’t fall for it.
  • Be suspicious of subject lines that convey urgency. Remember that criminals are expecting people to panic upon receiving an email with the headline “Account Locked” and, therefore, eradicate any cybersecurity know-how.
  • Abstain from downloading attachments you receive from unknown senders.

As demonstrated by historical phishing attacks, no one is immune to cyber scams. Leverage the power of employee security awareness training to educate your organization and help mitigate the risk of social engineering and cyber threats.

For more information, explore the following links:

Get in Touch


Continue Reading

Related Articles


“Align is our trusted provider for all our Managed Services and cybersecurity needs. They provide us best-in-class IT services that not only help drive productivity and growth, but ensure we meet both current and evolving compliance and security requirements with ease. As consultants to financial advisors, trust and reliability are indispensable to our operations, which is why we never hesitate to refer Align to our very own client base. Align isn’t just our partner, they are an extension of our team. We look forward to entrusting them with our IT infrastructure for years to come.”

Ed Fasano - Experienced Advisory Consultants LLC