A new phishing attack has emerged, and it involves mimicking performance reviews to steal employees’ usernames and passwords.
According to IBM, cybercriminals are portraying themselves as HR staff in emails and sending notifications to employees regarding performance appraisals. Within the email is a link to a phishing site. After clicking the link, users will see a simple login portal that appears inconspicuous. Employees are then requested to enter their credentials, including their email address, password and username, in order to obtain details regarding their evaluation.
In this scenario, criminals are leaning on the hope that unwary employees will take the bait and feel compelled to complete the evaluations immediately. Those who fall victim to the hoax unwittingly expose personal account credentials to hackers, and the attack concludes.
Corporate-Focused Phishing Attacks
While performance appraisal scams aren’t unheard of, they are gaining momentum within the cybercrime space. Utilizing corporate-focused phishing attacks to gain access to businesses and sensitive data is popular among attackers. Similar scams include spear-phishing that leverage:
- Fraudulent invoices
- Malicious links embedded in SharePoint files
- HTML attachments imitating voicemail alerts
Tips for Defending Against Phishing Scams
To help safeguard sensitive business information and keep your login credentials out of the hands of a cybercriminal, we’ve assembled a list of some practical tips and security best practices:
- Be extremely vigilant when prompted to enter account credentials or any sensitive information.
- Approach emails with caution and conduct adequate due diligence when examining them.
- Validate that the sender’s name by cross-referencing your company directory.
- Always verify the sender's email address - most people don’t look into the email address if the name seems familiar or legitimate. However, crooks have the ability to select their display name. For example, firstname.lastname@example.org could use the display name “Accounting” or “R&D” to spoof recipients.
- Avoid clicking on links within emails without hovering over them first.
- Check for spelling mistakes. Authentic messages from reputable businesses rarely contain spelling, syntax, or grammatical errors.
- Financial institutions would never request sensitive information over email. Don’t fall for it.
- Be suspicious of subject lines that convey urgency. Remember that criminals are expecting people to panic upon receiving an email with the headline “Account Locked” and, therefore, eradicate any cybersecurity know-how.
- Abstain from downloading attachments you receive from unknown senders.
As demonstrated by historical phishing attacks, no one is immune to cyber scams. Leverage the power of employee security awareness training to educate your organization and help mitigate the risk of social engineering and cyber threats.
For more information, explore the following links:
- Align Cybersecurity Services
- Security Awareness Training
- Contact one of our cybersecurity experts today.