When people receive an email that looks like it's from a trusted source, like their employer's Human Resources department, they're likely to act on it – and hackers know it. A recent KnowBe4 study revealed that 50 percent of phishing messages were HR-related. The latest threat, warns cybersecurity company Kaspersky, is a recent increase in phishing emails purporting to be self-evaluation forms from HR. On the form, hackers ask for your username and password, and once hackers can operate as you, they can gain access to internal systems and target individuals to perform tasks like fraudulent wire transfers.
Who the scam targets
This particular phishing scheme targets corporate employees. Because the email is supposedly from an HR department, a recipient wouldn't question seeing it in their work email.
How the scam works
You will receive a fake message from Human Resources asking you to complete a survey. The scam gives you until the end of the day, making it more likely that you will feel rushed and, therefore, lower your guard.
If you receive this HR phishing email and don't recognize it as a phishing scam, the link brings you to an online form. There, you may answer questions about your performance as part of a self-evaluation. At the end of the form, you're asked to provide your email address and then enter and re-enter your password – the actual information the scammer wants to obtain. The site may also discreetly download malware to your computer.
How to spot the scam
Like any scam, there are telltale signs that will help you spot the HR Self-Review scam. Look for inflammatory language, such as "COMPULSORY for EVERYONE" and "End Of Day," and the use of irregular capitalization. Also, you should be suspicious when you see dramatic claims for time-sensitive responses.
If you have any suspicions, check to ensure that the sender's email address matches your company's name. If it doesn't match, the message isn't internal and may be a scam. Also, ensure the email address is not spoofed.
If you have clicked the link and are viewing the form, you might notice that the word "password" is written with two asterisks ("pass**rd"). This tactic can help scammers to evade phishing filters your company might have in place. It is another reason to hesitate and check with HR before entering your personal information.
What is at risk if you fall victim to the scam
The HR self-evaluation phishing scam looks to acquire your username and password. Once a scammer can log in as you, they can impersonate you to ask other employees for sensitive information, access internal systems, and send malicious links and files to install malware. And since the email comes from your internal email address, it may bypass your company's usual security screening process.
Learn more about other popular phishing ploys: the Is this You Facebook video scam, the Facebook Marketplace scam, the Geek Squad subscription scam, and the Fake Recruiter scam.
[Image credit: Screenshots via Kaspersky, phishing scam concept via BigStockPhoto]
Julia Liebell-McLean is a freelance writer and editor interested in all things tech, especially tech start-ups. She worked for the Georgetown University Writing Center and, for the last three years, has served as the primary content writer and editor for Nurture SPRT, a sports tech start-up.
