New Corporate Phishing Scam Mimics Employee Evaluations

by: Katie Sloane on Nov, 06, 2019 | 0 Comments
 hero Image

A new phishing attack has emerged, and it involves mimicking performance reviews to steal employees’ usernames and passwords.

According to IBM, cybercriminals are portraying themselves as HR staff in emails and sending notifications to employees regarding performance appraisals. Within the email is a link to a phishing site. After clicking the link, users will see a simple login portal that appears inconspicuous. Employees are then requested to enter their credentials, including their email address, password and username, in order to obtain details regarding their evaluation.

In this scenario, criminals are leaning on the hope that unwary employees will take the bait and feel compelled to complete the evaluations immediately. Those who fall victim to the hoax unwittingly expose personal account credentials to hackers, and the attack concludes.

Corporate-Focused Phishing Attacks

While performance appraisal scams aren’t unheard of, they are gaining momentum within the cybercrime space.Cybersecurity Corporate Phishing Scam Utilizing corporate-focused phishing attacks to gain access to businesses and sensitive data is popular among attackers. Similar scams include spear-phishing that leverage:

  • Fraudulent invoices
  • Malicious links embedded in SharePoint files
  • HTML attachments imitating voicemail alerts

Tips for Defending Against Phishing Scams

To help safeguard sensitive business information and keep your login credentials out of the hands of a cybercriminal, we’ve assembled a list of some practical tips and security best practices:

  • Be extremely vigilant when prompted to enter account credentials or any sensitive information.
  • Approach emails with caution and conduct adequate due diligence when examining them.
  • Validate that the sender’s name by cross-referencing your company directory.
  • Always verify the sender's email address - most people don’t look into the email address if the name seems familiar or legitimate. However, crooks have the ability to select their display name. For example, jondoe@gmail1.com could use the display name “Accounting” or “R&D” to spoof recipients.
  • Avoid clicking on links within emails without hovering over them first.
  • Check for spelling mistakes. Authentic messages from reputable businesses rarely contain spelling, syntax, or grammatical errors.
  • Financial institutions would never request sensitive information over email. Don’t fall for it.
  • Be suspicious of subject lines that convey urgency. Remember that criminals are expecting people to panic upon receiving an email with the headline “Account Locked” and, therefore, eradicate any cybersecurity know-how.
  • Abstain from downloading attachments you receive from unknown senders.


As demonstrated by historical phishing attacks, no one is immune to cyber scams. Leverage the power of employee security awareness training to educate your organization and help mitigate the risk of social engineering and cyber threats.

For more information, explore the following links:

Get in Touch

 

Tags: Cybersecurity, Managed Services

Related Articles

 
How Fund Managers Can Prepare for the Latest SEC OCIE Cyber Sweeps

Cybersecurity

How Fund Managers Can Prepare for the Latest SEC OCIE Cyber Sweeps

The following excerpt originally appeared in Hedge Fund Law Report and was written by Amy Terry

Read More >

Leave A Comment