‘Bonus payment’ phishing emails seek new ransomware victims | Hinshaw & Culbertson – Law Firm Cyber ​​Alerts

How can employees mitigate the risk of falling for phishing scams allegedly sent by their company’s HR department?

The problem

Scammers often know what to say to pique an employee’s interest and let their guard down. Recently, a phishing campaign has resurfaced where bad actors are sending fake emails that appear to be sent by the employer’s HR department detailing important information regarding bonus payouts. Even more convincingly, these emails often come from legitimate-looking domains and URLs.

These phishing attempts usually contain a fake attachment which, when clicked, asks the user to enter their email and password in order to access their bonus information. This type of scam, called “credential phishing,” works by exploiting human trust and distraction: employees are more likely to act quickly and ignore spelling and grammatical errors when it’s about money.

Once inside, phishers can use these credentials to expose the company to ransomware, remote access tools (RATs), keylogging malware, and email capture malware. desktop pictures. Beyond the resulting damage to the business, hacked credentials can also be sold on the dark web, resulting in personal identity theft for the employee.

Risk Management Solutions

Follow these practical tips and share them with your employees to help them spot phishing scams:

  • Never click on an attachment from someone you don’t know, even if the attachment may seem harmless or tempting.
  • If you receive a link or attachment from someone you know that you didn’t expect to receive, call the sender before opening the link or attachment. Use your company’s directory or website to identify their phone number, not the number provided in the unexpected email.
  • Be sure to carefully inspect the email address or domain name of the sender of the email. Scammers often use domain names or email addresses that are virtually identical to the real ones, but with a typo or other nuanced modification.
  • Do not use the same email address and password combination for multiple accounts. This puts your entire online presence at risk if a single connection is compromised.
  • If your company has one, be sure to look for the “external email” disclaimer on emails. Emails from your company’s human resources or other departments are internal and will not carry this warning.
  • Finally, if you accidentally click on a phishing attachment or log on to what appears to be a fake site, stop, close the document or web page, and call your IT department for a virus scan. runs on your computer.

Scammers are getting smarter and more creative every day. But if you use your head and think before you click, you can foil them.

Comments are closed.