Human Resources Spear Phishing Attacks
Over the past several days, Logically security experts noticed a new type of a spear phishing attack, one that is specific to tax season. What may look like a legitimate email is actually a scheme to steal confidential information about your employees.
Unlike the common ‘wire money’ requests or other spear phishing vectors, this particular attack pretends to be sent from your management team to your Human Resources department, requesting sensitive employee information.
Here’s an example of the actual email request:
“I want you to send me the list of W-2 copy of employees wages and tax statement for 2015, I need them in PDF file type, you can send it as an attachment. Kindly prepare the lists and email them to me asap.”
This type of attack is usually perpetrated using publically available information and is not an indication of a compromise. It relies on setting the “Reply To” field to an external address of the attacker. Beware of this and always be sure to double check where you are sending an email. Please advise your Human Resources department and financial staff to be vigilant.
While it is not possible to prevent this type of attack entirely, there are several administrative and technical controls you can put in place to reduce the risk of a compromise.
These controls include:
- Education and Training: Periodic security awareness training is by far the most effective measure to put in place that will reduce your company’s susceptibility to phishing and other types of cyber-attacks. Most compromises start with a click of a mouse so be sure that your IT provider or staff take the time to educate your organization about security.
- Email Configuration Controls: You may be able to configure your email server to detect and mark or quarantine external emails that pretend to be from internal users. Discuss this security control with your IT provider or internal staff to see the possibility of implementation.
- Security Culture: Rigorous policies requiring personal or phone confirmation of release of funds or sensitive information will prevent phishing success. Create a culture of security at your organization and provide frequent training sessions to keep your employees knowledgeable of your company policies.
- IT Governance: Implementing policies and data loss prevention controls that forbid employees from sending sensitive information in email may help you stop data exfiltration. It is important that management enforce these policies and practice themselves.
As always, Logically security promotes user education and awareness training as the top security control for any organization. If you feel like your organization is not where it needs to be in order to protect sensitive information, contact our security experts for a conversation and training on how to stay safe.